From 86d96ee3ccecc501467fefe497bff91481031072 Mon Sep 17 00:00:00 2001
From: joernNNN <joernwege1@gmail.com>
Date: Fri, 8 Aug 2025 04:42:25 +0400
Subject: [PATCH 1/3] pinot CVE-2024-56325

---
 apache/pinot/CVE-2024-56325/Dockerfile      | 30 +++++++++++++++++++++
 apache/pinot/CVE-2024-56325/README.md       | 14 ++++++++++
 apache/pinot/CVE-2024-56325/broker.conf     | 14 ++++++++++
 apache/pinot/CVE-2024-56325/controller.conf | 23 ++++++++++++++++
 apache/pinot/CVE-2024-56325/minion.conf     |  6 +++++
 apache/pinot/CVE-2024-56325/server.conf     | 10 +++++++
 apache/pinot/CVE-2024-56325/start-pinot.sh  | 23 ++++++++++++++++
 7 files changed, 120 insertions(+)
 create mode 100644 apache/pinot/CVE-2024-56325/Dockerfile
 create mode 100644 apache/pinot/CVE-2024-56325/README.md
 create mode 100644 apache/pinot/CVE-2024-56325/broker.conf
 create mode 100644 apache/pinot/CVE-2024-56325/controller.conf
 create mode 100644 apache/pinot/CVE-2024-56325/minion.conf
 create mode 100644 apache/pinot/CVE-2024-56325/server.conf
 create mode 100644 apache/pinot/CVE-2024-56325/start-pinot.sh

diff --git a/apache/pinot/CVE-2024-56325/Dockerfile b/apache/pinot/CVE-2024-56325/Dockerfile
new file mode 100644
index 00000000..25b32886
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/Dockerfile
@@ -0,0 +1,30 @@
+FROM ubuntu:24.04 AS jdk21-base
+ENV DEBIAN_FRONTEND=noninteractive
+ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
+RUN apt-get update && \
+apt-get install -y --no-install-recommends \
+openjdk-21-jdk \
+ca-certificates \
+curl \
+&& apt-get clean \
+&& rm -rf /var/lib/apt/lists/*
+RUN java -version
+
+
+FROM jdk21-base AS pinot
+
+RUN apt update && apt install wget -y
+RUN wget https://www.apache.org/dyn/closer.lua/pinot/apache-pinot-1.2.0/apache-pinot-1.2.0-bin.tar.gz?action=download -O apache-pinot-1.2.0-bin.tar.gz
+RUN tar -zxvf apache-pinot-1.2.0-bin.tar.gz
+
+WORKDIR /apache-pinot-1.2.0-bin
+
+
+COPY controller.conf controller.conf
+COPY broker.conf broker.conf
+COPY server.conf server.conf
+COPY minion.conf minion.conf
+COPY start-pinot.sh /apache-pinot-1.2.0-bin/start-pinot.sh
+RUN chmod +x /apache-pinot-1.2.0-bin/start-pinot.sh
+
+CMD ["/apache-pinot-1.2.0-bin/start-pinot.sh"]
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/README.md b/apache/pinot/CVE-2024-56325/README.md
new file mode 100644
index 00000000..ba3536b7
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/README.md
@@ -0,0 +1,14 @@
+# setup vulnerable version
+```bash
+docker build -t pinot-jdk21-debian:latest .
+docker run --rm -p 9000:9000 --name pinot-CVE-2024-56325 pinot-jdk21-debian:latest
+```
+# test vulnerable version
+```bash
+curl -v http://localhost:9000/tables
+# 401 Unauthorized
+# {"code":401,"error":"HTTP 401 Unauthorized"}
+curl -v http://localhost:9000/tables\;.
+# 200 OK
+# {"tables":[]}
+```
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/broker.conf b/apache/pinot/CVE-2024-56325/broker.conf
new file mode 100644
index 00000000..0f5e8341
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/broker.conf
@@ -0,0 +1,14 @@
+# broker settings
+pinot.broker.client.queryPort=8099
+pinot.broker.routing.table.builder.class=random
+pinot.broker.helix.cluster.name=PinotCluster
+pinot.broker.zk.str=127.0.0.1:2181
+# no tokens required
+# the factory class property is different for the broker
+pinot.broker.access.control.class=org.apache.pinot.broker.broker.BasicAuthAccessControlFactory
+
+pinot.broker.access.control.principals=admin,user
+pinot.broker.access.control.principals.admin.password=verysecret
+pinot.broker.access.control.principals.user.password=secret
+
+# No need to set READ permissions here since broker requests are read-only
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/controller.conf b/apache/pinot/CVE-2024-56325/controller.conf
new file mode 100644
index 00000000..6b7a7594
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/controller.conf
@@ -0,0 +1,23 @@
+# controller settings
+controller.helix.cluster.name=PinotCluster
+controller.port=9000
+controller.data.dir=/tmp/pinot/controller
+controller.zk.str=127.0.0.1:2181
+controller.host=pinot-controller
+
+# Create users "admin" and "user". Keep in mind we're not enforcing any ACLs yet.
+controller.admin.access.control.principals=admin,user
+
+# Set the user's password to "secret" and allow "READ" only
+controller.admin.access.control.principals.user.password=secret
+controller.admin.access.control.principals.user.permissions=READ
+
+# Set the admin's password to "verysecret"
+controller.admin.access.control.principals.admin.password=verysecret
+
+# Enable the controller to fetch segments by providing the credentials as a token
+controller.segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+
+# "Basic " + base64encode("admin:verysecret")
+
+controller.admin.access.control.factory.class=org.apache.pinot.controller.api.access.BasicAuthAccessControlFactory
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/minion.conf b/apache/pinot/CVE-2024-56325/minion.conf
new file mode 100644
index 00000000..2307d8f3
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/minion.conf
@@ -0,0 +1,6 @@
+# minion settings
+pinot.minion.helix.cluster.name=PinotCluster
+pinot.minion.zk.str=127.0.0.1:2181
+
+segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+task.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/server.conf b/apache/pinot/CVE-2024-56325/server.conf
new file mode 100644
index 00000000..b109a107
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/server.conf
@@ -0,0 +1,10 @@
+# server settings
+pinot.server.instance.dataDir=/tmp/pinot/server
+pinot.server.instance.segmentTarDir=/tmp/pinot/server/segments
+pinot.server.netty.port=8098
+pinot.server.helix.cluster.name=PinotCluster
+pinot.server.zk.str=127.0.0.1:2181
+
+pinot.server.segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+pinot.server.segment.uploader.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+pinot.server.instance.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/start-pinot.sh b/apache/pinot/CVE-2024-56325/start-pinot.sh
new file mode 100644
index 00000000..fefc4d47
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/start-pinot.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+nohup ./bin/pinot-admin.sh StartZookeeper -zkPort 2181 > zookeeper.log 2>&1 &
+while ! grep -q 'Start zookeeper at localhost:2181 in thread main' zookeeper.log; do sleep 1; done
+echo "Zookeeper started."
+
+nohup ./bin/pinot-admin.sh StartController -config controller.conf > controller.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' controller.log; do sleep 1; done
+echo "Controller started."
+
+nohup ./bin/pinot-admin.sh StartBroker -config broker.conf > broker.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' broker.log; do sleep 1; done
+echo "Broker started."
+
+nohup ./bin/pinot-admin.sh StartServer -config server.conf > server.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' server.log; do sleep 1; done
+echo "Server started."
+
+nohup ./bin/pinot-admin.sh StartMinion -configFileName minion.conf > minion.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' minion.log; do sleep 1; done
+echo "Minion started."
+
+tail -f zookeeper.log controller.log broker.log server.log minion.log
\ No newline at end of file

From 3aa556bb1bbc308f8399e0ff1a8f3d52c7f59652 Mon Sep 17 00:00:00 2001
From: joernNNN <joernwege1@gmail.com>
Date: Sat, 9 Aug 2025 15:26:10 +0400
Subject: [PATCH 2/3] secure version is added

---
 apache/pinot/CVE-2024-56325/Dockerfile | 14 ++++++++------
 apache/pinot/CVE-2024-56325/README.md  | 23 +++++++++++++++++++----
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/apache/pinot/CVE-2024-56325/Dockerfile b/apache/pinot/CVE-2024-56325/Dockerfile
index 25b32886..7b00f5af 100644
--- a/apache/pinot/CVE-2024-56325/Dockerfile
+++ b/apache/pinot/CVE-2024-56325/Dockerfile
@@ -13,18 +13,20 @@ RUN java -version
 
 FROM jdk21-base AS pinot
 
+ARG PINOT_VERSION=1.2.0
+
 RUN apt update && apt install wget -y
-RUN wget https://www.apache.org/dyn/closer.lua/pinot/apache-pinot-1.2.0/apache-pinot-1.2.0-bin.tar.gz?action=download -O apache-pinot-1.2.0-bin.tar.gz
-RUN tar -zxvf apache-pinot-1.2.0-bin.tar.gz
+RUN wget https://www.apache.org/dyn/closer.lua/pinot/apache-pinot-${PINOT_VERSION}/apache-pinot-${PINOT_VERSION}-bin.tar.gz?action=download -O apache-pinot-${PINOT_VERSION}-bin.tar.gz
+RUN tar -zxvf apache-pinot-${PINOT_VERSION}-bin.tar.gz
 
-WORKDIR /apache-pinot-1.2.0-bin
+WORKDIR /apache-pinot-${PINOT_VERSION}-bin
 
 
 COPY controller.conf controller.conf
 COPY broker.conf broker.conf
 COPY server.conf server.conf
 COPY minion.conf minion.conf
-COPY start-pinot.sh /apache-pinot-1.2.0-bin/start-pinot.sh
-RUN chmod +x /apache-pinot-1.2.0-bin/start-pinot.sh
+COPY start-pinot.sh /apache-pinot-${PINOT_VERSION}-bin/start-pinot.sh
+RUN chmod +x /apache-pinot-${PINOT_VERSION}-bin/start-pinot.sh
 
-CMD ["/apache-pinot-1.2.0-bin/start-pinot.sh"]
\ No newline at end of file
+CMD ["./start-pinot.sh"]
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/README.md b/apache/pinot/CVE-2024-56325/README.md
index ba3536b7..a98047c2 100644
--- a/apache/pinot/CVE-2024-56325/README.md
+++ b/apache/pinot/CVE-2024-56325/README.md
@@ -1,9 +1,9 @@
 # setup vulnerable version
 ```bash
-docker build -t pinot-jdk21-debian:latest .
-docker run --rm -p 9000:9000 --name pinot-CVE-2024-56325 pinot-jdk21-debian:latest
+docker build --build-arg PINOT_VERSION=1.2.0 -t pinot-jdk21-debian:1.2.0 .
+docker run --rm -p 9000:9000 --name pinot-CVE-2024-56325 pinot-jdk21-debian:1.2.0
 ```
-# test vulnerable version
+## test vulnerable version
 ```bash
 curl -v http://localhost:9000/tables
 # 401 Unauthorized
@@ -11,4 +11,19 @@ curl -v http://localhost:9000/tables
 curl -v http://localhost:9000/tables\;.
 # 200 OK
 # {"tables":[]}
-```
\ No newline at end of file
+```
+
+# setup fixed version
+```bash
+docker build --build-arg PINOT_VERSION=1.3.0 -t pinot-jdk21-debian:1.3.0 .
+docker run --rm -p 9001:9000 --name pinot-CVE-2024-56325-patched pinot-jdk21-debian:1.3.0
+```
+## test secure version
+```bash
+curl -v http://localhost:9001/tables
+# 401 Unauthorized
+# {"code":401,"error":"HTTP 401 Unauthorized"}
+curl -v http://localhost:9001/tables\;.
+# 401 Unauthorized
+# {"code":401,"error":"HTTP 401 Unauthorized"}
+```

From acdd4ad525b4766ebf20383d25f4e7347c7d27cf Mon Sep 17 00:00:00 2001
From: joernNNN <joernwege1@gmail.com>
Date: Tue, 30 Sep 2025 17:18:18 +0400
Subject: [PATCH 3/3] don't need for dockerfile anymore

---
 apache/pinot/CVE-2024-56325/Dockerfile        | 32 -------------------
 apache/pinot/CVE-2024-56325/README.md         | 10 +++---
 .../pinot/CVE-2024-56325/docker-compose.yaml  | 17 ++++++++++
 apache/pinot/CVE-2024-56325/start-pinot.sh    |  0
 4 files changed, 21 insertions(+), 38 deletions(-)
 delete mode 100644 apache/pinot/CVE-2024-56325/Dockerfile
 create mode 100644 apache/pinot/CVE-2024-56325/docker-compose.yaml
 mode change 100644 => 100755 apache/pinot/CVE-2024-56325/start-pinot.sh

diff --git a/apache/pinot/CVE-2024-56325/Dockerfile b/apache/pinot/CVE-2024-56325/Dockerfile
deleted file mode 100644
index 7b00f5af..00000000
--- a/apache/pinot/CVE-2024-56325/Dockerfile
+++ /dev/null
@@ -1,32 +0,0 @@
-FROM ubuntu:24.04 AS jdk21-base
-ENV DEBIAN_FRONTEND=noninteractive
-ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
-RUN apt-get update && \
-apt-get install -y --no-install-recommends \
-openjdk-21-jdk \
-ca-certificates \
-curl \
-&& apt-get clean \
-&& rm -rf /var/lib/apt/lists/*
-RUN java -version
-
-
-FROM jdk21-base AS pinot
-
-ARG PINOT_VERSION=1.2.0
-
-RUN apt update && apt install wget -y
-RUN wget https://www.apache.org/dyn/closer.lua/pinot/apache-pinot-${PINOT_VERSION}/apache-pinot-${PINOT_VERSION}-bin.tar.gz?action=download -O apache-pinot-${PINOT_VERSION}-bin.tar.gz
-RUN tar -zxvf apache-pinot-${PINOT_VERSION}-bin.tar.gz
-
-WORKDIR /apache-pinot-${PINOT_VERSION}-bin
-
-
-COPY controller.conf controller.conf
-COPY broker.conf broker.conf
-COPY server.conf server.conf
-COPY minion.conf minion.conf
-COPY start-pinot.sh /apache-pinot-${PINOT_VERSION}-bin/start-pinot.sh
-RUN chmod +x /apache-pinot-${PINOT_VERSION}-bin/start-pinot.sh
-
-CMD ["./start-pinot.sh"]
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/README.md b/apache/pinot/CVE-2024-56325/README.md
index a98047c2..22d5a0ce 100644
--- a/apache/pinot/CVE-2024-56325/README.md
+++ b/apache/pinot/CVE-2024-56325/README.md
@@ -1,7 +1,6 @@
 # setup vulnerable version
 ```bash
-docker build --build-arg PINOT_VERSION=1.2.0 -t pinot-jdk21-debian:1.2.0 .
-docker run --rm -p 9000:9000 --name pinot-CVE-2024-56325 pinot-jdk21-debian:1.2.0
+PINOT_VERSION=1.2.0 docker compose up
 ```
 ## test vulnerable version
 ```bash
@@ -15,15 +14,14 @@ curl -v http://localhost:9000/tables\;.
 
 # setup fixed version
 ```bash
-docker build --build-arg PINOT_VERSION=1.3.0 -t pinot-jdk21-debian:1.3.0 .
-docker run --rm -p 9001:9000 --name pinot-CVE-2024-56325-patched pinot-jdk21-debian:1.3.0
+PINOT_VERSION=1.3.0 docker compose up
 ```
 ## test secure version
 ```bash
-curl -v http://localhost:9001/tables
+curl -v http://localhost:9000/tables
 # 401 Unauthorized
 # {"code":401,"error":"HTTP 401 Unauthorized"}
-curl -v http://localhost:9001/tables\;.
+curl -v http://localhost:9000/tables\;.
 # 401 Unauthorized
 # {"code":401,"error":"HTTP 401 Unauthorized"}
 ```
diff --git a/apache/pinot/CVE-2024-56325/docker-compose.yaml b/apache/pinot/CVE-2024-56325/docker-compose.yaml
new file mode 100644
index 00000000..350775dc
--- /dev/null
+++ b/apache/pinot/CVE-2024-56325/docker-compose.yaml
@@ -0,0 +1,17 @@
+services:
+  pinot:
+    image: apachepinot/pinot:${PINOT_VERSION:-1.2.0}
+    container_name: pinot
+    working_dir: /opt/pinot
+    volumes:
+      - ./controller.conf:/opt/pinot/controller.conf:ro
+      - ./broker.conf:/opt/pinot/broker.conf:ro
+      - ./server.conf:/opt/pinot/server.conf:ro
+      - ./minion.conf:/opt/pinot/minion.conf:ro
+      - ./start-pinot.sh:/opt/pinot/start-pinot.sh
+    entrypoint: "/opt/pinot/start-pinot.sh"
+    ports:
+      - "9000:9000"
+      - "8099:8099"
+      - "8098:8098"
+      - "8097:8097"
\ No newline at end of file
diff --git a/apache/pinot/CVE-2024-56325/start-pinot.sh b/apache/pinot/CVE-2024-56325/start-pinot.sh
old mode 100644
new mode 100755