Allow list for JDBC connection properties to address CVE-2021-26919#11047
Merged
jihoonson merged 3 commits intoapache:masterfrom Apr 2, 2021
Merged
Allow list for JDBC connection properties to address CVE-2021-26919#11047jihoonson merged 3 commits intoapache:masterfrom
jihoonson merged 3 commits intoapache:masterfrom
Conversation
clintropolis
approved these changes
Mar 30, 2021
2 tasks
jihoonson
added a commit
to jihoonson/druid
that referenced
this pull request
Apr 12, 2021
…pache#11047) * Allow list for JDBC connection properties to address CVE-2021-26919 * fix tests for java 11
jihoonson
added a commit
that referenced
this pull request
Apr 13, 2021
…11047) (#11100) * Allow list for JDBC connection properties to address CVE-2021-26919 * fix tests for java 11
jon-wei
added a commit
to jon-wei/druid
that referenced
this pull request
Nov 22, 2021
* IMPLY-6556 remove offending settings.xml for intellij inspections * GCS lookup support (apache#11026) * GCS lookup support * checkstyle fix * review comments * review comments * remove unused import * remove experimental from Kinesis with caveats (apache#10998) * remove experimental from Kinesis with caveats * add suggested known issue * spelling fixes * Bump aliyun SDK to 3.11.3 (apache#11044) * Update reset-cluster.md (apache#10990) fixed Error: Could not find or load main class org.apache.druid.cli.Main * Make imply-view-manager non-experimental (apache#316) * Make druid.indexer.task.ignoreTimestampSpecForDruidInputSource default to true, for backwards compat (apache#315) * Add explicit EOF and use assert instead of exception (apache#11041) * Add Calcite Avatica protobuf handler (apache#10543) * bump to latest of same version node and npm versions, bump frontend-maven-plugin (apache#11057) * request logs through kafka emitter (apache#11036) * request logs through kafka emitter * travis fixes * review comments * kafka emitter unit test * new line * travis checks * checkstyle fix * count request lost when request topic is null * IMPLY-6556 map local repository instead .m2 * remove outdated info from faq (apache#11053) * remove outdated info from faq * Add an option for ingestion task to drop (mark unused) all existing segments that are contained by interval in the ingestionSpec (apache#11025) * Auto-Compaction can run indefinitely when segmentGranularity is changed from coarser to finer. * Add option to drop segments after ingestion * fix checkstyle * add tests * add tests * add tests * fix test * add tests * fix checkstyle * fix checkstyle * add docs * fix docs * address comments * address comments * fix spelling * Allow list for JDBC connection properties to address CVE-2021-26919 (apache#11047) * Allow list for JDBC connection properties to address CVE-2021-26919 * fix tests for java 11 * Fix compile issue from dropExisting in ingest-service (apache#320) Co-authored-by: Slava Mogilevsky <triggerwoods91@gmail.com> Co-authored-by: Parag Jain <pjain1@apache.org> Co-authored-by: Charles Smith <38529548+techdocsmith@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: frank chen <frank.chen021@outlook.com> Co-authored-by: Tushar Raj <43772524+tushar-1728@users.noreply.github.com> Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> Co-authored-by: Jihoon Son <jihoonson@apache.org> Co-authored-by: Lasse Krogh Mammen <lkm@bookboon.com> Co-authored-by: Clint Wylie <cwylie@apache.org> Co-authored-by: Maytas Monsereenusorn <maytasm@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is a backport PR of 48953e3. CVE-2021-26919 is filed for the security vulnerability of remote code execution using vulnerable MySQL JDBC properties. This PR adds an allow list for JDBC connection properties that is enforced against every JDBC connections for ingestion and lookups but not metadata stores. The allow list is enforced to connections to postgresql as well as mysql. This is because, even though the known security vulnerability can be exploitable with only MySQL, we want to be conservative and avoid the same issue even with PostgreSQL that can be potentially exploitable in the future. The JDBC connection will fail if it uses a property that is not in the allow list.
Implementation-wise, this PR uses vendor-specific libraries to parse JDBC connection URLs because the JDBC URL format is diverse across different vendors. This introduces new compatibility issues.
As a result, URL parsing should be a short-term workaround to mitigate this vulnerability. Longer term, we should rather disallow arbitrary URLs in JDBC connections. Instead, we can only accept connection properties individually including host, port and user name.
Key changed/added classes in this PR
JdbcAccessSecurityConfigJdbcExtractionNamespaceJdbcFetcherMySQLFirehoseDatabaseConnectorPostgresqlFirehoseDatabaseConnectorThis PR has: