Thanks, I will ask the ASF security team to figure out how we can discuss the score with the NVD.
On Mon, Apr 5, 2021 at 5:50 PM Suneet Saldanha <suneet.salda...@imply.io> wrote: > > I agree with the CVSS string that you shared. The privileges required > should be high, since only an admin can exploit this vulnerability. > > I think it's ok if we keep the attack complexity at low, and state in the > CVE that it only affects users with the MySQL JDBC driver loaded. So in > this case, a CVSS of 7.2 seems reasonable. > > On Mon, Apr 5, 2021 at 3:25 PM Jihoon Son <jihoon...@apache.org> wrote: > > > Hi all, > > > > I recently noticed that CVE-2021-26919 is filed with the CVSS score of > > 8.8(!) in NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-26919). This > > seems overestimated to me based on the analysis below. > > > > - The druid cluster should have a MySQL JDBC connector jar loaded in its > > class path. The MySQL JDBC connector is not bundled in the druid > > distribution by default. > > - The druid cluster should be able to access a malicious MySQL server. > > In production, the druid cluster is recommended to have access to only > > trusted hosts, even though Druid does not provide any method by itself > > to restrict accessible hosts yet. > > - The attacker should have proper permissions, either a write > > permission on a datasource (ingestion via JDBC) or a write permission > > on system configurations (JDBC-based lookup). In the current security > > model of Druid, there are roughly 3 different groups of users, i.e., > > system administrators, users who have data management roles, and users > > who can only read data. In production, we recommend to grant the > > permissions in question to only the first 2 groups which are usually > > restricted to a small number of trusted people. > > > > Based on these requirements, the CVSS vector string I used for > > calculation can be found in > > > > https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H > > . > > The Attack Complexity was set to high (whereas it was set to low in > > the NVD calculation) because the vulnerability requires the Druid > > cluster to have the MySQL JDBC driver loaded and to have access to the > > malicious MySQL server. However, I see the point of the attack > > complexity being set to low as well because MySQL is popularly used as > > Druid's metadata store and restricting accessible hosts requires extra > > setups. > > > > The Privileges Required was set to high as well in my calculation > > (whereas it was set to low in the NVD calculation). This was because > > the attacker should have the permission of either system > > administrators or users who have data management roles, to exploit the > > vulnerability. These permissions are recommended to be granted to a > > small number of trusted people in the production environment as > > explained above. > > > > As a result, the CVSS score is 6.6 or 7.2 in my calculation depending > > on the Attack Complexity, which is lower than that filed > > in NVD in either case. Fortunately, per the description in > > https://nvd.nist.gov/vuln/detail/CVE-2021-26919, the score is not > > final yet but there is still some room to adjust it. Once we find a > > reasonable score that we all agree on, I will reach out to the ASF > > security team to figure out how to discuss it with the NVD team. > > > > Does the vector string and the CVSS score I calculated make sense? Any > > thoughts? > > Jihoon > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > For additional commands, e-mail: dev-h...@druid.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
