Security Bulletin 2023-07-22-01
Abstract
Potential unintended user access to restricted data as a result of previously-executed cached plans.
CVSS Qualitative Rating
- Medium
- CVSSv3.1
- Score: 6.5
- AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Releases
- Dremio 24.0.0 through 24.0.x
- Dremio 23.0.0 through 23.1.x
- Dremio 22.0.0 through 22.1.x
- Dremio 21.0.0 through 21.7.x
- Dremio 20.0.0 through 20.8.x
- Dremio 19.0.0 through 19.11.x
Problem Description
In Affected Releases, Dremio’s query plan cache key is not user-context specific. As a result, a subsequent user who runs the same exact query as the original user may be granted access to the previously executed cached plan. The use of the shared cached plan may result in unintended access to restricted data, available to the original user but not intended for the subsequent user.
In Fixed Releases, Dremio’s query plan cache functionality adds user context to the plan cache hash, effectively making it a user-specific cache.
Resolution Actions
-
Option 1: Upgrade to a Fixed Release where plan cache is user-context specific and not shared across users.
-
Option 2: Disable physical plan caching until you can take the recommended Option 1.
SQL to Disable Physical Plan CachingALTER SYSTEM SET "planner.query_plan_cache_enabled" = falsecautionBe advised that cached plans provide improved query performance. Disabling physical plan caching may result in degraded query performance.
Fixed Releases
- Dremio 24.1.0 and above
- Dremio 23.2.0 and above
- Dremio 22.2.0 and above
- Dremio 21.8.1 and above
- Dremio 20.9.0 and above
- Dremio 19.12.0 and above