CVE-2021-26919 Overview
Apache Druid allows users to read data from other database systems using JDBC. This functionality is intended to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. However, the MySQL JDBC driver supports certain properties which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This vulnerability represents a significant risk for organizations running affected versions of Apache Druid, as it could allow authenticated attackers to fully compromise the underlying server infrastructure.
Critical Impact
Authenticated attackers can leverage malicious MySQL JDBC properties to achieve remote code execution on Apache Druid servers, potentially leading to complete system compromise.
Affected Products
- Apache Druid versions prior to 0.20.2
- Systems using MySQL JDBC driver with Apache Druid
- Apache Druid installations configured with JDBC database lookups
Discovery Timeline
- March 30, 2021 - CVE-2021-26919 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-26919
Vulnerability Analysis
This vulnerability exploits the MySQL JDBC connector's ability to process specific driver properties that can be abused for malicious purposes. When Apache Druid establishes JDBC connections to MySQL databases for lookups or ingestion tasks, an attacker with authenticated access can manipulate the connection parameters to point to a malicious MySQL server under their control.
The MySQL JDBC driver has been known to support properties such as autoDeserialize and queryInterceptors that, when combined with a rogue MySQL server, can trigger deserialization of malicious Java objects. This attack technique, sometimes referred to as a "MySQL JDBC deserialization attack," allows the attacker to inject arbitrary serialized payloads that get deserialized within the context of the Druid server process.
The impact of successful exploitation includes complete compromise of the Druid server, unauthorized access to sensitive data stored or processed by Druid, lateral movement within the network, and potential establishment of persistent backdoors.
Root Cause
The root cause of this vulnerability lies in insufficient validation and sanitization of JDBC connection properties passed to the MySQL driver. Apache Druid did not implement adequate allowlisting or blocklisting of dangerous MySQL JDBC properties before version 0.20.2. This allowed users with lookup or ingestion task permissions to specify arbitrary connection properties that could be exploited for remote code execution.
The MySQL Connector/J driver supports several dangerous properties including autoDeserialize, which when set to true, allows automatic deserialization of objects returned from server-side prepared statements. Combined with queryInterceptors or other properties, an attacker could craft a malicious MySQL server that returns serialized Java objects containing exploit payloads.
Attack Vector
The attack follows a network-based vector where an authenticated user with permissions to configure JDBC lookups or submit ingestion tasks can exploit this vulnerability. The attack requires the following conditions:
- The attacker must have valid authentication credentials to Apache Druid
- The attacker must have permissions to configure lookups or submit ingestion tasks
- The attacker must be able to host a malicious MySQL server that is network-accessible from the Druid server
The attacker configures a JDBC connection pointing to their malicious MySQL server with dangerous properties enabled. When Druid establishes the connection, the malicious server responds with specially crafted payloads that trigger code execution within the Druid JVM process. This exploitation technique leverages the trust relationship between the JDBC driver and the MySQL server, bypassing standard application-level security controls.
Detection Methods for CVE-2021-26919
Indicators of Compromise
- Unexpected outbound connections from Druid servers to unknown MySQL server addresses
- JDBC connection strings containing suspicious properties such as autoDeserialize=true or unusual queryInterceptors
- Unusual process spawning from Java processes running Apache Druid
- Modifications to lookup configurations or ingestion tasks by unauthorized users
- Network traffic patterns indicating communication with rogue database servers
Detection Strategies
- Monitor Druid audit logs for changes to JDBC lookup configurations and ingestion task submissions
- Implement network monitoring to detect connections to unauthorized MySQL servers from Druid infrastructure
- Deploy SentinelOne Singularity endpoint protection to detect and block malicious code execution attempts
- Review JDBC connection strings in Druid configurations for dangerous MySQL driver properties
- Implement Java deserialization monitoring to detect exploitation attempts
Monitoring Recommendations
- Enable comprehensive logging for all Druid lookup and ingestion configuration changes
- Configure network segmentation to restrict outbound database connections from Druid servers to approved destinations only
- Deploy application-layer firewalls to inspect and filter JDBC traffic for malicious patterns
- Establish baseline network behavior for Druid servers and alert on anomalous connection attempts
How to Mitigate CVE-2021-26919
Immediate Actions Required
- Upgrade Apache Druid to version 0.20.2 or later immediately
- Audit all existing JDBC lookup configurations and ingestion tasks for suspicious connection parameters
- Review user permissions and restrict access to lookup and ingestion task configuration to only necessary personnel
- Implement network-level controls to limit outbound database connections from Druid servers
- Review recent configuration changes and authentication logs for signs of exploitation
Patch Information
Apache addressed this vulnerability in Apache Druid version 0.20.2. The fix implements proper validation and sanitization of MySQL JDBC connection properties, blocking dangerous parameters that could enable remote code execution. Organizations should upgrade to version 0.20.2 or the latest available version as soon as possible.
For detailed information about the security fix and upgrade instructions, refer to the Apache Druid Development Discussion and related Apache Druid Commit Updates.
Workarounds
- Restrict network access from Druid servers to only approved and trusted MySQL database servers using firewall rules
- Remove or disable JDBC lookup and ingestion functionality if not required for business operations
- Implement strict role-based access control to limit which users can configure lookups or submit ingestion tasks
- Deploy web application firewall rules to detect and block JDBC connection strings containing dangerous properties
- Consider running Druid in an isolated network segment with strict egress filtering
# Configuration example - Network restriction for Druid servers
# Add iptables rules to restrict outbound MySQL connections to approved servers only
iptables -A OUTPUT -p tcp --dport 3306 -d <approved_mysql_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
# Enable audit logging for Druid configuration changes
# In druid runtime.properties:
# druid.audit.manager.type=log
# druid.audit.manager.auditEnabled=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
