1923082 – (CVE-2020-1958) CVE-2020-1958 druid: Bypass of the credentialsValidator.userSearch filter in Druid API

Bug 1923082 (CVE-2020-1958) - CVE-2020-1958 druid: Bypass of the credentialsValidator.userSearch filter in Druid API

Summary: CVE-2020-1958 druid: Bypass of the credentialsValidator.userSearch filter in ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-1958
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1923085
TreeView+	depends on / blocked

Reported:	2021-02-01 11:50 UTC by Pedro Sampaio
Modified:	2021-02-15 16:09 UTC (History)
CC List:	14 users (show)
Fixed In Version:	druid 0.17.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-15 16:09:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-02-01 11:50:23 UTC

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

References:

https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E
https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c@%3Ccommits.druid.apache.org%3E

Comment 2 Przemyslaw Roguski 2021-02-10 15:22:11 UTC

External References:

https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E

Comment 4 Przemyslaw Roguski 2021-02-10 16:29:07 UTC

Upstream fix:
https://github.com/apache/druid/commit/dbaabdd24710fef726c5730c609937706f456a44

Comment 5 Przemyslaw Roguski 2021-02-10 16:31:00 UTC

Statement:

In OpenShift Container Platform (OCP) the openshift4/ose-metering-hive container ships the vulnerable version of the druid package, but the vulnerable code (which is part of the druid security extensions) is not delivered, hence OCP component is not affected by this flaw.

Comment 6 Product Security DevOps Team 2021-02-15 16:09:43 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1958

Note You need to log in before you can comment on or make changes to this bug.