I. Overview

Apache Druid has officially released the latest version 0.20.2 and disclosed a remote code execution vulnerability (CVE-2021-26919) that affects versions earlier than Apache Druid 0.20.2. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow attackers to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes.

Apache Druid is an open-source distributed data storage system. Druid aims to quickly obtain a large amount of event data and provide low-latency query based on the data.

If you are an Apache Druid user, check your versions and implement timely security hardening.

Reference link: https://seclists.org/oss-sec/2021/q1/273

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Druid versions before 0.20.2

Secure version:

Apache Druid 0.20.2

IV. Vulnerability Inspection and Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/druid/releases/tag/druid-0.20.2

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.