CVE-2024-27438 Overview
CVE-2024-27438 is a Download of Code Without Integrity Check vulnerability (CWE-494) affecting Apache Doris, a modern data warehouse solution. The vulnerability exists in the JDBC catalog functionality where driver files used for JDBC connections are not validated for integrity before execution. This allows an attacker with authorization to create a JDBC catalog to introduce arbitrary driver JAR files containing malicious code that executes during catalog initialization without any verification.
Critical Impact
An attacker authorized to create JDBC catalogs can achieve remote command execution by supplying malicious JDBC driver JAR files that execute unchecked code during catalog initialization.
Affected Products
- Apache Doris versions 1.2.0 through 2.0.4
Discovery Timeline
- 2024-03-21 - CVE-2024-27438 published to NVD
- 2025-06-17 - Last updated in NVD database
Technical Details for CVE-2024-27438
Vulnerability Analysis
This vulnerability falls under the category of Remote Code Execution (RCE) through insecure code loading. Apache Doris provides JDBC catalog functionality that allows users to connect to external databases through JDBC drivers. The core issue is that when a JDBC catalog is created, the system loads and executes code from the specified driver JAR file without performing any integrity verification or code validation.
The attack requires the attacker to have authorization to create JDBC catalogs within the Apache Doris environment. While this represents a barrier to exploitation, in multi-tenant environments or systems with broader user permissions, this authorization may be more readily available than expected. Once an attacker gains catalog creation privileges, they can specify a custom JDBC driver JAR file containing arbitrary Java code that will be executed with the privileges of the Doris process during catalog initialization.
Root Cause
The root cause is the absence of integrity checking mechanisms for JDBC driver files. Apache Doris trusts user-supplied driver JAR files implicitly without:
- Verifying digital signatures or checksums of driver files
- Validating that drivers come from trusted sources
- Scanning driver code for malicious payloads
- Implementing a whitelist of approved JDBC drivers
This design flaw allows arbitrary code execution because Java's class loading mechanism will execute static initializers and other code paths within JAR files when classes are loaded during catalog initialization.
Attack Vector
The attack is network-based and requires no user interaction beyond the initial authorization to create JDBC catalogs. An attacker exploits this vulnerability through the following sequence:
- The attacker gains authorization to create JDBC catalogs in the target Apache Doris instance
- The attacker crafts a malicious JDBC driver JAR file containing code designed to execute during class loading
- The attacker creates a new JDBC catalog specifying the malicious driver file
- During catalog initialization, Apache Doris loads the driver JAR without integrity verification
- The malicious code executes with the privileges of the Apache Doris process
The malicious code within the JAR file can perform various actions including establishing reverse shells, exfiltrating data, modifying configurations, or pivoting to other systems within the network. Since the code runs with Doris process privileges, it has access to all data and resources available to that process.
Detection Methods for CVE-2024-27438
Indicators of Compromise
- Unexpected JDBC catalog creation events in Apache Doris audit logs
- JDBC driver JAR files loaded from non-standard or external locations
- Unusual network connections originating from the Doris process
- Unexpected child processes spawned by the Apache Doris service
- Modified or new files created by the Doris process outside normal operational paths
Detection Strategies
- Monitor Apache Doris logs for catalog creation operations, particularly JDBC catalogs with custom driver specifications
- Implement file integrity monitoring on directories where JDBC drivers are stored
- Deploy network monitoring to detect anomalous outbound connections from Doris servers
- Enable process monitoring to identify unexpected command execution by the Doris service
- Audit user permissions regularly to identify accounts with unnecessary catalog creation privileges
Monitoring Recommendations
- Configure centralized logging for all Apache Doris administrative operations
- Establish baseline behavior for JDBC catalog operations and alert on deviations
- Implement endpoint detection and response (EDR) solutions on Doris servers to detect post-exploitation activity
- Monitor for JAR file downloads or uploads to Doris-accessible directories
How to Mitigate CVE-2024-27438
Immediate Actions Required
- Upgrade Apache Doris to version 2.0.5 or 2.1.x which include fixes for this vulnerability
- Audit existing JDBC catalogs for potentially malicious driver configurations
- Review and restrict user permissions for JDBC catalog creation to trusted administrators only
- Implement network segmentation to limit the impact of potential code execution
Patch Information
Apache has released fixes in Apache Doris versions 2.0.5 and 2.1.x. Users running versions 1.2.0 through 2.0.4 should upgrade immediately. For detailed patch information, refer to the Apache Mailing List Thread and the Openwall OSS Security Discussion.
Workarounds
- Restrict JDBC catalog creation permissions to only highly trusted administrative accounts
- Implement strict network access controls limiting which sources can provide JDBC driver files
- Deploy application-level firewalls to monitor and filter catalog creation requests
- Use a dedicated, restricted service account for running Apache Doris with minimal filesystem and network permissions
- Maintain an inventory of approved JDBC drivers and manually verify any new driver additions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
