I think all Druid versions except 0.20.1 can potentially have the bug. On Fri, Jan 29, 2021 at 3:28 PM David Glasser <glas...@apollographql.com> wrote: > > What is the oldest Druid version with this vulnerability? > > On Fri, Jan 29, 2021 at 10:03 AM Jihoon Son <jihoon...@apache.org> wrote: > > > > Description: > > > > Apache Druid includes the ability to execute user-provided JavaScript > > code embedded in various types of requests. This functionality is > > intended for use in high-trust environments, and is disabled by > > default. However, in Druid 0.20.0 and earlier, it is possible for an > > authenticated user to send a specially-crafted request that forces > > Druid to run user-provided JavaScript code for that request, > > regardless of server configuration. This can be leveraged to execute > > code on the target machine with the privileges of the Druid server > > process. > > > > Mitigation: > > > > Users should upgrade to Druid 0.20.1. Whenever possible, network > > access to cluster machines should be restricted to trusted hosts only. > > > > Credit: > > > > This issue was discovered by Litch1 from the Security Team of Alibaba Cloud. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > For additional commands, e-mail: dev-h...@druid.apache.org > > > > -- > You received this message because you are subscribed to the Google Groups > "Druid User" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to druid-user+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/druid-user/CAOz3OdtkB1LdzCWo_nyBpUoDgD%2BvRby%3DaRrkNzzqvRgid_5Www%40mail.gmail.com.
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
