CVE-2024-27438 – This vulnerability in Apache Doris allows authe... (How to Fix)

Q: What is the severity of CVE-2024-27438?

CVE-2024-27438 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache Doris allows authenticated users with JDBC catalog creation privileges to upload and execute arbitrary Java code via malicious JDBC driver files. Attackers can achieve remote command execution on the server. Affects Apache Doris versions 1.2.0 through 2.0.4.

📋 TL;DR

This vulnerability in Apache Doris allows authenticated users with JDBC catalog creation privileges to upload and execute arbitrary Java code via malicious JDBC driver files. Attackers can achieve remote command execution on the server. Affects Apache Doris versions 1.2.0 through 2.0.4.

💻 Affected Systems

Products:

Apache Doris

Versions: 1.2.0 through 2.0.4

Operating Systems: All platforms running Apache Doris

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user authentication with JDBC catalog creation privileges. Default configurations may grant these privileges to database administrators.

📦 What is this software?

Doris by Apache

View all CVEs affecting Doris →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Privilege escalation leading to database compromise, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls restrict JDBC catalog creation to trusted administrators only.

🌐 Internet-Facing: HIGH - If Apache Doris is exposed to the internet and has authenticated users with JDBC catalog privileges.

🏢 Internal Only: HIGH - Even internally, any user with JDBC catalog creation rights can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Exploitation is straightforward once an attacker has the required privileges.

Exploitation requires authenticated access with JDBC catalog creation permissions. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.5 or 2.1.x

Vendor Advisory: https://lists.apache.org/thread/h95h82b0svlnwcg6c2xq4b08j6gwgczh

Restart Required: Yes

Instructions:

1. Backup your Apache Doris configuration and data. 2. Download Apache Doris version 2.0.5 or 2.1.x from the official website. 3. Stop the Apache Doris service. 4. Replace the existing installation with the patched version. 5. Restart the Apache Doris service. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Restrict JDBC Catalog Creation

all

Temporarily remove JDBC catalog creation privileges from all non-essential users until patching can be completed.

-- Use Apache Doris SQL commands to revoke CREATE CATALOG privileges from users
-- Example: REVOKE CREATE CATALOG ON *.* FROM 'username'@'host';

🧯 If You Can't Patch

Immediately restrict JDBC catalog creation to only essential, trusted administrators using role-based access controls.
Implement network segmentation to isolate Apache Doris instances from sensitive systems and monitor for suspicious JDBC catalog creation attempts.

🔍 How to Verify

Check if Vulnerable:

Check the Apache Doris version using the web interface or by querying the system. If version is between 1.2.0 and 2.0.4 inclusive, the system is vulnerable.

Check Version:

SELECT VERSION(); in Apache Doris SQL or check the web admin interface.

Verify Fix Applied:

After upgrading, verify the version is 2.0.5 or higher (or in the 2.1.x series). Test JDBC catalog functionality with legitimate drivers to ensure it works correctly.

📡 Detection & Monitoring

Log Indicators:

Unusual JDBC catalog creation events, especially from non-admin users
Errors or warnings related to JDBC driver loading or initialization
Suspicious file uploads to JDBC driver directories

Network Indicators:

Unexpected outbound connections from Apache Doris server to external IPs
Unusual network traffic patterns following JDBC catalog operations

SIEM Query:

source="apache_doris" AND (event="catalog_creation" OR event="jdbc_driver_load") AND user!="admin_user"

📊 Metadata

CVE ID: CVE-2024-27438

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-494

Published: March 21, 2024

Last Updated: June 17, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/03/21/1 Mailing List
https://lists.apache.org/thread/h95h82b0svlnwcg6c2xq4b08j6gwgczh Mitigation
http://www.openwall.com/lists/oss-security/2024/03/21/1 Mailing List
https://lists.apache.org/thread/h95h82b0svlnwcg6c2xq4b08j6gwgczh Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27438, you might also want to check these: