Service Notices
Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
Mar 31, 2021 GMT+08:00
I. Overview
Apache Druid has officially released the latest version 0.20.2 and disclosed a remote code execution vulnerability (CVE-2021-26919) that affects versions earlier than Apache Druid 0.20.2. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow attackers to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes.
Apache Druid is an open-source distributed data storage system. Druid aims to quickly obtain a large amount of event data and provide low-latency query based on the data.
If you are an Apache Druid user, check your versions and implement timely security hardening.
Reference link: https://seclists.org/oss-sec/2021/q1/273
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Druid versions before 0.20.2
Secure version:
Apache Druid 0.20.2
IV. Vulnerability Inspection and Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
https://github.com/apache/druid/releases/tag/druid-0.20.2
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.