I. Overview

Apache Druid has officially released the latest version 0.20.1 and disclosed a remote code execution vulnerability (CVE-2021-25646) that affects versions earlier than Apache Druid 0.20.1. By default, the JavaScript code provided by users does not need authorization and authentication. Attackers can construct malicious requests to remotely execute code.

Apache Druid is an open-source distributed data storage system. Druid aims to quickly obtain a large amount of event data and provide low-latency query based on the data.

If you are an Apache Druid user, check your versions and implement timely security hardening.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Druid before 0.20.1

Secure version:

Apache Druid 0.20.1

IV. Vulnerability Inspection and Handling

This vulnerability has been fixed in the latest official versions. If your version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/druid/releases/tag/druid-0.20.1

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.