Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the open source APISIX response to the Skywalking SQL injection vulnerability CVE-2020-9483, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents. I hope you can get something according to this article.

0x01 Summary

Apache Skywalking recently exposed a SQL injection vulnerability: CVE-2020-9483.

Apache SkyWalking is an APM management software (application performance monitoring), which is used to follow and analyze the performance of online systems, supporting TCP and HTTP protocols. The software version number of the problematic Skywalking is 6.0-6.6,7.0. after upgrading the official website version 8.0, the SQL injection vulnerability was fixed.

The problem is the Graph QL protocol interface of Apache SkyWalking. GraphQL is the open source data query specification of Facebook. A query language for API is an encapsulated description of REST API. The original interface under the JSON protocol of REST API will have security risks if the code implementation does not pay attention to the ANFA specification. Apache SkyWalking Graph QL will have the security problem of SQL injection this time. SQL injection occurs when Skywalking uses three databases such as H2/MySQL/TiDB for storage, and this security vulnerability can be reproduced in a specific version of the software.

ElasticSearch also supports SQL queries, which is supported by plug-ins. ES is not a relational database. If the storage scheme used by Skywalking is ES, the problem of SQL injection may be weakened.

0x02 emergency solution

Tencent vulnerability report gives the emergency response plan: the first solution: upgrade to the 8.0 version of the official website. The second scheme is to authorize the interfaces exposed by the Skywalking external network. The third scheme: the most general scheme, on the WEB firewall protection.

If the user system deploys the WAF system, it can be processed with the temporary interception policy of SQL injection. When the request does not reach the Skywalking, let the WAF system intercept and filter out the request containing SQL injection.

0x03 open source solution

This article focuses on using open source solutions to solve the problem, adding a layer of API gateways to solve the security problems of the online SQL injection of the old version of Skywalking before Skywalking is upgraded to 8.0. The second and third schemes mentioned above can be implemented through the same software system, and the security of the local Skywalking interface which is open to the external network can be ensured in the process of Skywaling upgrade.

Both APISIX gateway and Skywalking belong to the project of Apache. APISIX itself supports Skywalking and corresponding plug-ins, and also supports authentication of URL (the second solution) and blacklist filtering of URI (one of the functions of WAF, SQL injection interception).

APISIX is an open source system. The application gateway products built in Nginx and OpenResty can easily implement upstream management and support various plug-ins. APISIX's Skywalking plug-in works with Skywalking to visually measure similar open source gateway products of APISIX at the request of APISIX, such as Kong.

This is a tracking map of APISIX on Skywalking.

Recently, there has been a problem with CVE-2020-9483. The solution for not upgrading Skywalking8.0 is as follows:

As previously stated, the solution that does not upgrade: one is to add authentication to the external network interface, and the other is to block SQL injection with a firewall. In APISIX, we do not need to upgrade Skywalking to solve this security problem by adding several functional plug-ins and adjusting the execution order of the plug-ins.

1. Interface authentication.

In order to prevent the external network from directly accessing the interface Skywalking, we first transfer the Skywalking request to the APISIX gateway, where the APISIX gateway authenticates the request, and then forwards the authentication request to Skywalking. Choose two APISIX plug-ins: Key-auth: privilege management by adding Key. Basic-auth: manage the encryption rights through user name and password connection.

2.SQL injection intercept.

For general SQL injection, the WAF system will intercept according to the characteristics of the SQL clause in the request. APISIX also has a URI filtering plug-in:

URI-Blocker:URI intercepts the blacklist.

0x04 intercepts SQL injection local core = require ("apisix.core") local re_compile = require ("resty.core.regex"). Re_match_compilelocal re_find = ngx.re.findlocalipairs = ipairslocal schema = {type = "object", properties = {block_rules = {type = "array", items = {type = "string", minLength = 1, maxLength = 4096 }, uniqueItems = true}, rejected_code = {type = "integer", minimum = 200,403},}, required = {"block_rules"},} local plugin_name = "uri-blocker" local _ M = {version = 0.1, priority = 2900, name = plugin_name, schema = schema } function_M.check_schema (conf) local ok, err = core.schema.check (schema, conf) if not ok then return false, err end local block_rules = {} for I, re_rule in ipairs (conf.block_rules) do local ok, err = re_compile (re_rule, "j")-core.log.warn ("ok:", tostring (ok), "err:", tostring (err), "re_rule:" Re_rule) if not ok then return false, err end block_ rules [I] = re_rule end conf.block_rules_concat = core.table.concat (block_rules, "|") core.log.info ("concatblock_rules:", conf.block_rules_concat) return trueendfunction_M.rewrite (conf, ctx) core.log.info ("uri:" Ctx.var.request_uri) local from = re_find (ctx.var.request_uri, conf.block_rules_concat, "jo") if from then core.response.exit (conf.rejected_code) endendreturn _ M

The above is the basic blacklist filtering logic: the user prepares several SQL recognition rules to identify suspicious SQL clauses in a normal URI, and intercepts this URI directly, or forwards the request to the honeypot system, which is realized by another plug-in (dynamic upstream).

A simple example is given to illustrate how to write the SQL injection interception rule, as follows:

1. "select.+ (from | limit)" 2. "(: (union (. *) select))" 3. "having"

The method to enable the URI-Blocker plug-in for APISIX is as follows:

Curl-I http://127.0.0.1:9080/apisix/admin/routes/1-H'XKEYVUR edd1c9f034335f136f87ad84b625c8f1'-X PUT-d'{"uri": "/ *", "plugins": {"uri-blocker": {"block_rules": ["root.exe", "root.m+"]}}, "upstream": {"type": "roundrobin" "nodes": {"127.0.0.1virtual 1980": 1}}'

APISIX supports the plug-in opening mode of API calls, and we inject SQL into the recognized rules to register various plug-ins in the APISIX gateway in this way. If you upgrade the Skywalking to 8.0, you can quickly turn off the plug-in in this way.

Curl http://127.0.0.1:9080/apisix/admin/routes/1-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'-X PUT-d'{"uri": "/ *", "upstream": {"type": "roundrobin", "nodes": {"127.0.0.1 0x05 1980": 1}} '0x05 Summary

If you happen to encounter similar security problems in the use of Skywalking or some open source software, and you want to use a low-cost solution to solve the sudden security problem of CVE-2020-9483, you can consider the open source solution mentioned above, open source, plug and play. This time it is the Skywalking problem, and maybe it will be other software in the future, which needs an agile system to solve the security problem corresponding to the speed.

After reading the above, do you have any further understanding of the open source APISIX response to the Skywalking SQL injection vulnerability CVE-2020-9483? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.