cancel
Showing results for 
Search instead for 
Did you mean: 
Osher_Bello
F5 Employee
F5 Employee

Recently a new deserialization gadget was published that may lead to arbitrary code execution when deserialized by sending an HTTP request containing crafted JSON data in the request body.

The Vulnerability

Druid offers the ability to execute JavaScript at the server without restrictions. Out of concern for security, JavaScript is disabled by default. However, a remote attacker can bypass this restriction by sending HTTP request containing crafted JSON data in the request body, which may lead to the execution of arbitrary code with privileges of the vulnerable server.


0EM1T000002bst8.png

Figure 1:  Attack vector example

Mitigating the vulnerability with Advanced WAF

Advanced WAF customers under any supported version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type.


0EM1T000002bst9.png

Figure 2:  Exploit blocked with attack signature 200003437

Additional Reading

 https://www.zerodayinitiative.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid

Version history
Last update:
‎31-Mar-2021 12:54
Updated by:
Contributors