Bug 1923082 (CVE-2020-1958) - CVE-2020-1958 druid: Bypass of the credentialsValidator.userSearch filter in Druid API
Summary: CVE-2020-1958 druid: Bypass of the credentialsValidator.userSearch filter in ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-1958
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1923085
TreeView+ depends on / blocked
 
Reported: 2021-02-01 11:50 UTC by Pedro Sampaio
Modified: 2021-02-15 16:09 UTC (History)
14 users (show)

Fixed In Version: druid 0.17.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-15 16:09:43 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-01 11:50:23 UTC
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

References:

https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E
https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c@%3Ccommits.druid.apache.org%3E

Comment 4 Przemyslaw Roguski 2021-02-10 16:29:07 UTC
Upstream fix:
https://github.com/apache/druid/commit/dbaabdd24710fef726c5730c609937706f456a44

Comment 5 Przemyslaw Roguski 2021-02-10 16:31:00 UTC
Statement:

In OpenShift Container Platform (OCP) the openshift4/ose-metering-hive container ships the vulnerable version of the druid package, but the vulnerable code (which is part of the druid security extensions) is not delivered, hence OCP component is not affected by this flaw.

Comment 6 Product Security DevOps Team 2021-02-15 16:09:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1958


Note You need to log in before you can comment on or make changes to this bug.