I agree with the CVSS string that you shared. The privileges required should be high, since only an admin can exploit this vulnerability.
I think it's ok if we keep the attack complexity at low, and state in the CVE that it only affects users with the MySQL JDBC driver loaded. So in this case, a CVSS of 7.2 seems reasonable. On Mon, Apr 5, 2021 at 3:25 PM Jihoon Son <jihoon...@apache.org> wrote: > Hi all, > > I recently noticed that CVE-2021-26919 is filed with the CVSS score of > 8.8(!) in NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-26919). This > seems overestimated to me based on the analysis below. > > - The druid cluster should have a MySQL JDBC connector jar loaded in its > class path. The MySQL JDBC connector is not bundled in the druid > distribution by default. > - The druid cluster should be able to access a malicious MySQL server. > In production, the druid cluster is recommended to have access to only > trusted hosts, even though Druid does not provide any method by itself > to restrict accessible hosts yet. > - The attacker should have proper permissions, either a write > permission on a datasource (ingestion via JDBC) or a write permission > on system configurations (JDBC-based lookup). In the current security > model of Druid, there are roughly 3 different groups of users, i.e., > system administrators, users who have data management roles, and users > who can only read data. In production, we recommend to grant the > permissions in question to only the first 2 groups which are usually > restricted to a small number of trusted people. > > Based on these requirements, the CVSS vector string I used for > calculation can be found in > > https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H > . > The Attack Complexity was set to high (whereas it was set to low in > the NVD calculation) because the vulnerability requires the Druid > cluster to have the MySQL JDBC driver loaded and to have access to the > malicious MySQL server. However, I see the point of the attack > complexity being set to low as well because MySQL is popularly used as > Druid's metadata store and restricting accessible hosts requires extra > setups. > > The Privileges Required was set to high as well in my calculation > (whereas it was set to low in the NVD calculation). This was because > the attacker should have the permission of either system > administrators or users who have data management roles, to exploit the > vulnerability. These permissions are recommended to be granted to a > small number of trusted people in the production environment as > explained above. > > As a result, the CVSS score is 6.6 or 7.2 in my calculation depending > on the Attack Complexity, which is lower than that filed > in NVD in either case. Fortunately, per the description in > https://nvd.nist.gov/vuln/detail/CVE-2021-26919, the score is not > final yet but there is still some room to adjust it. Once we find a > reasonable score that we all agree on, I will reach out to the ASF > security team to figure out how to discuss it with the NVD team. > > Does the vector string and the CVSS score I calculated make sense? Any > thoughts? > Jihoon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org > >
