Apache DruidÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-26919£©
Ðû²¼Ê±¼ä 2021-03-300x00 Îó²î¸ÅÊö
CVE ID | CVE-2021-26919 | ʱ ¼ä | 2021-03-30 |
Àà ÐÍ | RCE | µÈ ¼¶ | ÖÐΣ |
Ô¶³ÌʹÓà | ÊÇ | Ó°Ïì¹æÄ£ | Druid <= 0.20.1 |
PoC/EXP | δ¹ûÕæ | ÔÚҰʹÓà |
0x01 Îó²îÏêÇé
Apache DruidÊÇרΪ´óÊý¾Ý¼¯µÄ¿ìËÙÇÐÆ¬ÆÊÎö£¨OLAPÅÌÎÊ£©¶øÉè¼ÆµÄ¸ßÐÔÄÜÆÊÎöÊý¾Ý¿â¡£¡£¡£¡£¡£
2021Äê03ÔÂ29ÈÕ£¬£¬£¬£¬£¬Apache¹Ù·½Ðû²¼Ç徲ͨ¸æ£¬£¬£¬£¬£¬¹ûÕæÁËApache DruidÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-26919£©¡£¡£¡£¡£¡£
Druid ʹÓÃJDBC´ÓÆäËüÊý¾Ý¿â¶ÁÈ¡Êý¾Ý£¬£¬£¬£¬£¬´Ë¹¦Ð§ÊÇΪÁËÈÃÊÜÐÅÈεÄÓû§Í¨¹ýÊʵ±µÄȨÏÞÀ´ÉèÖòéÕÒ»òÌá½»ÌáȡʹÃü¡£¡£¡£¡£¡£ÓÉÓÚApache Druid ĬÈÏÇéÐÎÏÂȱ·¦ÊÚȨÈÏÖ¤£¬£¬£¬£¬£¬¹¥»÷Õß¿Éͨ¹ý½á¹¹¶ñÒâÇëÇóÖ´ÐÐí§Òâ´úÂ룬£¬£¬£¬£¬´Ó¶ø¿ØÖÆÐ§ÀÍÆ÷¡£¡£¡£¡£¡£
0x02 ´¦Öóͷ£½¨Òé
ÏÖÔÚ¹Ù·½ÒÑÐÞ¸´ÁË´ËÎó²î£¬£¬£¬£¬£¬½¨ÒéʵʱÉý¼¶µ½Druid 0.20.2¡£¡£¡£¡£¡£
ÏÂÔØÁ´½Ó£º
https://github.com/apache/druid/releases/tag/druid-0.20.2
0x03 ²Î¿¼Á´½Ó
http://mail-archives.apache.org/mod_mbox/www-announce/202103.mbox/%3CCACZfFK6Va-CqhfDUPqPvqBCw8JsJwQ1xRe8JxeQbX5cRyi7qJg@mail.gmail.com%3E
https://github.com/apache/druid/releases/tag/druid-0.20.2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26919
0x04 ʱ¼äÏß
2021-03-29 ApacheÐû²¼Ç徲ͨ¸æ
2021-03-30 VSRCÐû²¼Ç徲ͨ¸æ
0x05 ¸½Â¼
CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/