CVE-2024-27438: Apache Doris Remote Command Execution Vulnerability

The Apache Doris development team has released security updates to address two vulnerabilities in their popular real-time analytical database system. One of these security flaws, rated as “important,” could potentially allow attackers to execute malicious code on affected systems.

Understanding the Vulnerabilities

• CVE-2024-26307 (Low Severity): This “race condition” vulnerability exists in Apache Doris versions before 1.2.8 and 2.0.4. While the risk of exploitation is considered low, it could potentially result in file modification issues.

• CVE-2024-27438 (Important Severity): This more concerning vulnerability affects a wider range of versions (1.2.0 through 2.0.4). It allows the downloading of arbitrary remote jar files, opening the door to remote code execution. Attackers with the ability to create a JDBC catalog could potentially exploit this to run malicious code on the server.

The Importance of Updating

Given the severity of CVE-2024-27438, Apache Doris users are strongly advised to upgrade to version 2.0.5 or 2.1.x immediately. These releases provide the necessary patches to mitigate the remote code execution vulnerability.

Securing Your Apache Doris Installation

In addition to updating, Apache Doris administrators are advised to follow these best practices:

• Restrict Access: Limit the ability to create JDBC catalogs only to trusted users.
• Monitor for Unusual Activity: Implement logging and alerting for any unexpected creation of JDBC catalogs or suspicious file downloads.
• General Security Measures: Maintain strong firewall rules, enforce robust password policies, and regularly apply security patches for all aspects of your system.