Hi all, I recently noticed that CVE-2021-26919 is filed with the CVSS score of 8.8(!) in NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-26919). This seems overestimated to me based on the analysis below.
- The druid cluster should have a MySQL JDBC connector jar loaded in its class path. The MySQL JDBC connector is not bundled in the druid distribution by default. - The druid cluster should be able to access a malicious MySQL server. In production, the druid cluster is recommended to have access to only trusted hosts, even though Druid does not provide any method by itself to restrict accessible hosts yet. - The attacker should have proper permissions, either a write permission on a datasource (ingestion via JDBC) or a write permission on system configurations (JDBC-based lookup). In the current security model of Druid, there are roughly 3 different groups of users, i.e., system administrators, users who have data management roles, and users who can only read data. In production, we recommend to grant the permissions in question to only the first 2 groups which are usually restricted to a small number of trusted people. Based on these requirements, the CVSS vector string I used for calculation can be found in https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The Attack Complexity was set to high (whereas it was set to low in the NVD calculation) because the vulnerability requires the Druid cluster to have the MySQL JDBC driver loaded and to have access to the malicious MySQL server. However, I see the point of the attack complexity being set to low as well because MySQL is popularly used as Druid's metadata store and restricting accessible hosts requires extra setups. The Privileges Required was set to high as well in my calculation (whereas it was set to low in the NVD calculation). This was because the attacker should have the permission of either system administrators or users who have data management roles, to exploit the vulnerability. These permissions are recommended to be granted to a small number of trusted people in the production environment as explained above. As a result, the CVSS score is 6.6 or 7.2 in my calculation depending on the Attack Complexity, which is lower than that filed in NVD in either case. Fortunately, per the description in https://nvd.nist.gov/vuln/detail/CVE-2021-26919, the score is not final yet but there is still some room to adjust it. Once we find a reasonable score that we all agree on, I will reach out to the ASF security team to figure out how to discuss it with the NVD team. Does the vector string and the CVSS score I calculated make sense? Any thoughts? Jihoon --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
