drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Rudis <...@rud.is>
Subject Re: Does Drill Use Apache Struts
Date Fri, 08 Sep 2017 15:42:57 GMT
I personally haven't had the cycles to do a thorough appsec review of
the main web interface, the REST interface, access controls or
encryption tools, but I also only run Drill on private AWS instances
or on personal servers / systems, so it hasn't been a huge priority
for me.

I would encourage the Drill team to apply for a CII grant
<https://www.coreinfrastructure.org/>. CII has funded security audits
of OpenSSL and other OSS software and I believe Drill would be a great
candidate, especially since it's designed to provide access to diverse
data stores (i.e. breach Drill and you get to everything behind it).

MapR or Dremio could likely help speed up said grant application since
they are commercial entities with ties to the OSS side of Drill.

On Fri, Sep 8, 2017 at 11:28 AM, Saurabh Mahapatra
<saurabhmahapatra94@gmail.com> wrote:
> Thanks John, all. I think this discussion thread is important. As a community member,
I learn so much by reading these threads.
>
> Since you work in cyber security research, are there specific things we should think
about from a security standpoint for Drill?
>
> I know that we have a REST API and I am sure there are web apps being built around it.
Are there vulnerabilities that we need to be aware of? How can we advise users about this?
>
> Thoughts?
>
> Best,
> Saurabh
>
> Sent from my iPhone
>
>
>
>> On Sep 8, 2017, at 7:41 AM, John Omernik <john@omernik.com> wrote:
>>
>> Also, thank you for the pointer to the pom.xml
>>
>>> On Fri, Sep 8, 2017 at 9:41 AM, John Omernik <john@omernik.com> wrote:
>>>
>>> So, I thought I was clear that it was unverified, but I also I am in cyber
>>> security research, and this is what is being discussed in closed circles. I
>>> agree, it may not be just struts, it's not spreading rumors to say, this
>>> struts vulnerability is serious, and it's something that should be
>>> considered in a massive breech like this. Also, as with most security
>>> incidents, it is likely only a part of the story. It could be SQLi and it
>>> could be Struts and it could be both or neither. To imply it was unrelated
>>> SQLi is just as presumptuous as saying it was struts. Some folks are
>>> talking about attackers using Struts to get to a zone where SQLi was
>>> possible.  I will be clear(er): I have not verified that Equifax is wholly
>>> struts, or even related to Struts, but my fear right now is focused on open
>>> source projects that may use Struts and I think this is legitimate. Putting
>>> it into context, I want to learn more how to ensure vulnerabilities in one
>>> project/library are handled from a cascading point of view.
>>>
>>> John
>>>
>>>> On Fri, Sep 8, 2017 at 9:15 AM, Bob Rudis <bob@rud.is> wrote:
>>>>
>>>> Equifax was likely unrelated SQL injection. Don't spread rumors.
>>>>
>>>> Struts had yet-another-remote exploit (three of 'em, actually).
>>>>
>>>> I do this for a living (cybersecurity research).
>>>>
>>>> Drill is not impacted which can be verified by looking at dependencies
>>>> in https://github.com/apache/drill/blob/master/pom.xml
>>>>
>>>>> On Fri, Sep 8, 2017 at 10:12 AM, John Omernik <john@omernik.com>
wrote:
>>>>> Rumors are pointing to it being related to the Equifax breech (no
>>>>> confirmation from me on that, just seeing it referenced as a
>>>> possibility)
>>>>>
>>>>> http://thehackernews.com/2017/09/apache-struts-vulnerability.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning <ted.dunning@gmail.com>
>>>> wrote:
>>>>>
>>>>>> Almost certainly not.
>>>>>>
>>>>>> What issues are you referring to? I don't follow struts.
>>>>>>
>>>>>>
>>>>>> On Sep 8, 2017 16:00, "John Omernik" <john@omernik.com> wrote:
>>>>>>
>>>>>> Hey all, given the recent issues related to Struts, can we confirm
that
>>>>>> Drill doesn't use this Apache component for anything? I am not good
>>>> enough
>>>>>> at code reviews to see what may be used.
>>>>>>
>>>>>> John
>>>>>>
>>>>
>>>
>>>

Mime
View raw message