Login Sign Up

CVE-2021-26919

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-26919 is a remote code execution vulnerability in Apache Druid's JDBC integration with MySQL. Attackers can exploit certain MySQL JDBC driver properties to execute arbitrary code on Druid servers by connecting to a malicious MySQL server. This affects Druid deployments where users have JDBC lookup or ingestion task permissions.

💻 Affected Systems

Products:
  • Apache Druid
Versions: All versions before 0.20.2
Operating Systems: All platforms running Apache Druid
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when JDBC functionality is enabled and users have permissions to configure JDBC connections. Default installations may not be vulnerable if JDBC features are unused.

📦 What is this software?

Druid by Apache

View all CVEs affecting Druid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Druid server with attacker gaining complete control over server processes, allowing data theft, system takeover, and lateral movement.

🟠

Likely Case

Remote code execution leading to data exfiltration, service disruption, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing connections to untrusted MySQL servers.

🌐 Internet-Facing: HIGH - Druid instances exposed to internet with JDBC functionality enabled are directly exploitable.
🏢 Internal Only: MEDIUM - Requires internal attacker or compromised internal MySQL server, but still significant due to RCE potential.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to Druid with JDBC permissions and ability to connect to attacker-controlled MySQL server. The vulnerability is in the MySQL JDBC driver property handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Druid 0.20.2

Vendor Advisory: https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E

Restart Required: Yes

Instructions:

1. Backup Druid configuration and data. 2. Download Apache Druid 0.20.2 or later from official site. 3. Stop Druid services. 4. Replace existing installation with patched version. 5. Restart Druid services. 6. Verify functionality.

🔧 Temporary Workarounds

Disable JDBC functionality

all

Remove or restrict JDBC lookup and ingestion capabilities if not required

Configure Druid to disable JDBC extensions or remove JDBC permissions from users

Network segmentation

all

Restrict Druid server network access to trusted MySQL servers only

Configure firewall rules to allow Druid->MySQL connections only to approved IPs

🧯 If You Can't Patch

  • Implement strict network controls allowing Druid to connect only to trusted, internal MySQL servers
  • Remove JDBC permissions from all Druid users and disable JDBC extensions in configuration

🔍 How to Verify

Check if Vulnerable:

Check Druid version and verify if JDBC functionality is enabled in configuration files

Check Version:

Check Druid logs or run: java -jar druid.jar --version (or check version in web UI)

Verify Fix Applied:

Confirm Druid version is 0.20.2 or later and test JDBC connections to ensure they work properly

📡 Detection & Monitoring

Log Indicators:

  • Unusual JDBC connection attempts to external MySQL servers
  • Errors in Druid logs related to MySQL JDBC driver properties

Network Indicators:

  • Druid servers initiating connections to unknown MySQL servers on port 3306
  • Unusual outbound traffic from Druid to external IPs

SIEM Query:

source="druid.logs" AND ("JDBC" OR "MySQL") AND ("connection" OR "property")

📊 Metadata

CVE ID: CVE-2021-26919
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON