Mitigating Recently Disclosed Code Execution Vulnerability In Apache Druid Using Advanced WAF

Recently a new deserialization gadget was published that may lead to arbitrary code execution when deserialized by sending an HTTP request containing crafted JSON data in the request body.

The Vulnerability

Druid offers the ability to execute JavaScript at the server without restrictions. Out of concern for security, JavaScript is disabled by default. However, a remote attacker can bypass this restriction by sending HTTP request containing crafted JSON data in the request body, which may lead to the execution of arbitrary code with privileges of the vulnerable server.

Figure 1:  Attack vector example

Mitigating the vulnerability with Advanced WAF

Advanced WAF customers under any supported version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type.

Figure 2:  Exploit blocked with attack signature 200003437

Additional Reading

 https://www.zerodayinitiative.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid