CVE-2021-33800
📋 TL;DR
CVE-2021-33800 is a directory traversal vulnerability in Druid 1.2.3 that allows attackers to access files outside the intended directory by manipulating path parameters. This affects organizations running vulnerable Druid versions, potentially exposing sensitive configuration files or system data.
💻 Affected Systems
- Apache Druid
📦 What is this software?
Druid by Alibaba
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like configuration files, credentials, or executing arbitrary code if combined with other vulnerabilities.
Likely Case
Unauthorized access to sensitive files containing configuration data, credentials, or application source code.
If Mitigated
Limited impact with proper file permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit with simple path manipulation techniques. Public advisories exist with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.4 and later
Vendor Advisory: https://security.alibaba.com/announcement/announcement?id=214
Restart Required: Yes
Instructions:
1. Backup your Druid configuration and data. 2. Stop Druid services. 3. Upgrade to Druid 1.2.4 or later. 4. Verify the upgrade. 5. Restart Druid services. 6. Test functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to reject path traversal sequences like '../' in URL parameters
Configure web application firewall or reverse proxy to filter ../ sequences
Implement input validation in application code if custom
Network Segmentation
allRestrict network access to Druid instances
Configure firewall rules to limit access to trusted IPs only
Place Druid behind reverse proxy with strict path validation
🧯 If You Can't Patch
- Implement strict file system permissions to limit what files Druid can access
- Deploy web application firewall with directory traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if running Druid version 1.2.3. Attempt to access files using path traversal sequences in the vulnerable endpoint (requires caution to avoid data exposure).Check Version:
Check Druid configuration files or run: curl -s http://druid-host:port/status | grep versionVerify Fix Applied:
Verify Druid version is 1.2.4 or later. Test that path traversal attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts with ../ sequences in URLs
- Unusual file access patterns from web requests
- Access to files outside expected directories
Network Indicators:
- HTTP requests containing ../, ..\, or similar traversal sequences
- Requests to unexpected file paths
SIEM Query:
web.url:*../* AND (dst.port:8082 OR dst.port:8081) AND src.ip:!trusted_network