Apache DruidÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-26919£©

Ðû²¼Ê±¼ä 2021-03-30

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-26919

ʱ    ¼ä

2021-03-30

Àà   ÐÍ

 RCE

µÈ    ¼¶

ÖÐΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

Druid <= 0.20.1

PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ


 

0x01 Îó²îÏêÇé

image.png

 

Apache DruidÊÇרΪ´óÊý¾Ý¼¯µÄ¿ìËÙÇÐÆ¬ÆÊÎö£¨OLAPÅÌÎÊ£©¶øÉè¼ÆµÄ¸ßÐÔÄÜÆÊÎöÊý¾Ý¿â¡£¡£¡£¡£ ¡£

2021Äê03ÔÂ29ÈÕ£¬£¬£¬£¬£¬Apache¹Ù·½Ðû²¼Ç徲ͨ¸æ£¬£¬£¬£¬£¬¹ûÕæÁËApache DruidÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-26919£©¡£¡£¡£¡£ ¡£

Druid ʹÓÃJDBC´ÓÆäËüÊý¾Ý¿â¶ÁÈ¡Êý¾Ý£¬£¬£¬£¬£¬´Ë¹¦Ð§ÊÇΪÁËÈÃÊÜÐÅÈεÄÓû§Í¨¹ýÊʵ±µÄȨÏÞÀ´ÉèÖòéÕÒ»òÌá½»ÌáȡʹÃü¡£¡£¡£¡£ ¡£ÓÉÓÚApache Druid ĬÈÏÇéÐÎÏÂȱ·¦ÊÚȨÈÏÖ¤£¬£¬£¬£¬£¬¹¥»÷Õß¿Éͨ¹ý½á¹¹¶ñÒâÇëÇóÖ´ÐÐí§Òâ´úÂ룬£¬£¬£¬£¬´Ó¶ø¿ØÖÆÐ§ÀÍÆ÷¡£¡£¡£¡£ ¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ¹Ù·½ÒÑÐÞ¸´ÁË´ËÎó²î£¬£¬£¬£¬£¬½¨ÒéʵʱÉý¼¶µ½Druid 0.20.2¡£¡£¡£¡£ ¡£

ÏÂÔØÁ´½Ó£º

https://github.com/apache/druid/releases/tag/druid-0.20.2

 

0x03 ²Î¿¼Á´½Ó

http://mail-archives.apache.org/mod_mbox/www-announce/202103.mbox/%3CCACZfFK6Va-CqhfDUPqPvqBCw8JsJwQ1xRe8JxeQbX5cRyi7qJg@mail.gmail.com%3E

https://github.com/apache/druid/releases/tag/druid-0.20.2

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26919

 

0x04 ʱ¼äÏß

2021-03-29  ApacheÐû²¼Ç徲ͨ¸æ

2021-03-30  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png