Security Bulletin: Vulnerability in Apache Druid affects watsonx.data

Summary

It is possible for an authenticated user to send a specially-crafted request that forces Apache Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Vulnerability Details

CVEID:CVE-2021-25646
**DESCRIPTION:**Apache Druid could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code with the privileges of the Druid server process on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

The product needs to be installed or upgraded to the latest available level watsonx.data 2.0.2 or watsonx.data on CPD 5.0.2. Installation/upgrade instructions can be found here: <https://www.ibm.com/docs/en/watsonx/watsonxdata/2.0.x?topic=deployment-installing&gt;

Workarounds and Mitigations

None