Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Mitigating Recently Disclosed Code Execution Vulnerability In Apache Druid Using Advanced WAF

Osher_Bello
F5 Employee
F5 Employee

on ‎31-Mar-2021 12:54

Recently a new deserialization gadget was published that may lead to arbitrary code execution when deserialized by sending an HTTP request containing crafted JSON data in the request body.

The Vulnerability

Druid offers the ability to execute JavaScript at the server without restrictions. Out of concern for security, JavaScript is disabled by default. However, a remote attacker can bypass this restriction by sending HTTP request containing crafted JSON data in the request body, which may lead to the execution of arbitrary code with privileges of the vulnerable server.


0EM1T000002bst8.png

Figure 1:  Attack vector example

Mitigating the vulnerability with Advanced WAF

Advanced WAF customers under any supported version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type.


0EM1T000002bst9.png

Figure 2:  Exploit blocked with attack signature 200003437

Additional Reading

 https://www.zerodayinitiative.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid

Labels:
0 Kudos
Version history
Last update:
‎31-Mar-2021 12:54
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC