Hi David,
For 1) ordinarily we only release fixes for the most recent major version.
In this case we did two major versions (31 and 32), because 32 had a major
change in that it removed all legacy non-SQL compliant null handling
behaviors. If you need a patched version of v29 you can apply the patch
from 32.0.1 locally. There is only one patch that affects production code,
the link from the release notes will lead you to it.
For 2) the simplest mitigation is to disable the management proxy, by
setting druid.router.managementProxy.enabled = false on the Router, or to
block it upstream of the Router by blocking paths beginning with
/druid/indexer, /druid/coordinator, or /proxy. Some web console
functionality won't work with the proxy disabled (such as task submission,
supervisor editing) and for API access, you'll need to contact the
Coordinator and Overlord directly rather than going through the Router. But
beyond that, Druid functionality will continue to work as expected, because
Druid doesn't use the Router's management proxy for internal
communications. For the time being I'm avoiding sharing more specific
things that can be blocked, since I don't want to make it too obvious how
to exploit the issue.
Gian
On Wed, Mar 19, 2025 at 11:30 AM David Glasser
<glas...@apollographql.com.invalid> wrote:
> Thanks Adarsh!
>
> Our systems are still on v29. We do have a planned upgrade but we want
> to try to protect ourselves from this as quickly as possible.
>
> Two questions:
>
> 1) Since it looks like this is a simple one-line fix, can we consider
> backporting to a few more major versions, such as v29?
>
> 2) Is there a simple pattern in HTTP requests to druid-router that
> trigger this issue which we could explicitly block at a level in front
> of druid-router, before we are able to upgrade to a fixed version?
>
> On Wed, Mar 19, 2025 at 9:23 AM Adarsh Sanjeev <adarshsanj...@apache.org>
> wrote:
> >
> > Affected versions:
> >
> > - Apache Druid before 31.0.2
> > - Apache Druid before 32.0.1
> >
> > Description:
> >
> > Severity: medium (5.8) / important
> >
> > Server-Side Request Forgery (SSRF), Improper Neutralization of Input
> During Web Page Generation ('Cross-site Scripting'), URL Redirection to
> Untrusted Site ('Open Redirect') vulnerability in Apache Druid.
> >
> > This issue affects all previous Druid versions.
> >
> >
> > When using the Druid management proxy, a request that has a specially
> crafted URL could be used to redirect the request to an arbitrary server
> instead. This has the potential for XSS or XSRF. The user is required to be
> authenticated for this exploit. The management proxy is enabled in Druid's
> out-of-box configuration. It may be disabled to mitigate this
> vulnerability. If the management proxy is disabled, some web console
> features will not work properly, but core functionality is unaffected.
> >
> >
> > Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which
> fixes the issue.
> >
> > References:
> >
> > https://druid.apache.org
> > https://www.cve.org/CVERecord?id=CVE-2025-27888
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
> > For additional commands, e-mail: dev-h...@druid.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
> For additional commands, e-mail: dev-h...@druid.apache.org
>
>
