CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)
Severity: low Description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. Mitigation: Users can avoid the issue by upgrading to 0.22.0 or a higher version. In an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources. Credit: This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud. ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920.
[ANNOUNCE] Apache Druid 0.22.0 release
The Apache Druid team is proud to announce the release of Apache Druid 0.22.0. Druid is a high performance analytics data store for event-driven data. Apache Druid 0.22.0 contains over 400 new features, performance enhancements, bug fixes, and documentation improvements from 73 contributors. Major new features and improvements include: - Support for number formatting and bitwise operations - Support for ARRAY_AGG and STRING_AGG SQL aggregators - Improved batch ingestion memory usage - Support for using deep storage for native batch shuffle storage - Experimental task autoscaling for Apache Kafka and Amazon Kinesis based streaming ingestion - Apache Avro and Protobuf streaming 'InputFormat' implementations, and improved support of Confluent Schema Registry - Improvements to both manual and automatic compaction - Automatic cleanup of metadata storage Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html Release notes are at: https://github.com/apache/druid/releases/tag/druid-0.22.0 A big thank you to all the contributors in this milestone release!
[ANNOUNCE] Apache Druid 0.21.1 release
The Apache Druid team is proud to announce the release of Apache Druid 0.21.1. Druid is a high performance analytics data store for event-driven data. Apache Druid 0.21.1 is a minor release to fix regressions introduced in 0.21.0. Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html Release notes are at: https://github.com/apache/druid/releases/tag/druid-0.21.1 A big thank you to all the contributors that helped fix the issues for this release!
[ANNOUNCE] Apache Druid 0.19.0 release
The Apache Druid team is proud to announce the release of Apache Druid 0.19.0. Druid is a high performance analytics data store for event-driven data. Apache Druid 0.19.0 contains around 200 new features, bug fixes, performance enhancements, documentation improvements, and additional test coverage from 51 contributors. Major new features and improvements include: - GroupBy and Timeseries vectorized query engines enabled by default - Druid native batch support for Apache Avro Object Container Files - Updated Druid native batch support for SQL databases - Apache Ranger based authorization - Alibaba Object Storage Service support - Ingestion worker autoscaling for Google Compute Engine Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html Release notes are at: https://github.com/apache/druid/releases/tag/druid-0.19.0 A big thank you to all the contributors in this release!
[ANNOUNCE] Apache Druid (incubating) 0.16.0 release
The Apache Druid team is proud to announce the release of Apache Druid (incubating) 0.16.0. Druid is a high performance analytics data store for event-driven data. Apache Druid 0.16.0-incubating contains over 350 new features, performance enhancements, bug fixes, and major documentation improvements from 50 contributors. Major new features and improvements include: - 'Vectorized' query processing - 'Minor' compaction - Native parallel indexing with shuffle - New 'indexer' process - Huge improvements to the web console - New documentation website - Official Docker image Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html Release notes are at: https://github.com/apache/incubator-druid/releases/tag/druid-0.16.0-incubating A big thank you to all the contributors in this milestone release! Disclaimer: Apache Druid is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.
[ANNOUNCE] Apache Druid (incubating) 0.15.1 release
Announcing Apache Druid 0.15.1-incubating, a small but important release that includes a collection of bug and documentation fixes. Apache Druid (incubating) is a high performance analytics data store for event-driven data. Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html See the release notes for additional details: https://github.com/apache/incubator-druid/releases/tag/druid-0.15.1-incubating Thanks to everyone who contributed to this release! Disclaimer: Apache Druid is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.
[ANNOUNCE] Apache Druid (incubating) 0.14.2 released
Announcing Apache Druid 0.14.2-incubating, a bug fix release that includes important fixes for the 'druid-datasketches' extension and query result caching. This is our 4th release as an Apache Incubating project. Apache Druid (incubating) is a high performance analytics data store for event-driven data. Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html See the release notes for additional details: https://github.com/apache/incubator-druid/releases/tag/druid-0.14.2-incubating Thanks to everyone who contributed to this release! Disclaimer: Apache Druid is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.
[ANNOUNCE] Apache Druid (incubating) 0.14.1 release
Announcing Apache Druid 0.14.1-incubating, a small patch release that includes a handful of bug and documentation fixes. This is our 3rd release as an Apache Incubating project. Apache Druid (incubating) is a high performance analytics data store for event-driven data. Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html Important notice: This release fixes an issue with the 'druid-datasketches' extension with quantile sketches, but introduces another one with theta sketches that was confirmed after the release was finalized. If you utilize theta sketches, we recommend not upgrading to this release. This will be fixed in the next release of Druid. See the release notes for additional details: https://github.com/apache/incubator-druid/releases/tag/druid-0.14.1-incubating Thanks to everyone who contributed to this release! Disclaimer: Apache Druid is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.
