In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
What this article shares with you is an example analysis of high-risk vulnerabilities in Apache DolphinScheduler. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.
1. Overview of Apache DolphinScheduler
Apache DolphinScheduler (Incubator, formerly Easy Scheduler) is a distributed data workflow task scheduling system, which mainly solves the complex dependence of data research and development ETL, but can not directly monitor the health status of tasks. Easy Scheduler assembles Task in the way of DAG streaming, which can monitor the running status of tasks in real time, and support operations such as retry, failed recovery from specified nodes, pauses and Kill tasks.
The following is a diagram of the Apache DolphinScheduler architecture:
2. Apache DolphinScheduler system diagram
3. Vulnerability description
On Sept. 11, Green League Technology monitored that the Apache Software Foundation issued a security announcement, fixing the ApacheDolphinScheduler privilege coverage vulnerability (CVE-2020-13922) and the ApacheDolphinScheduler remote code execution vulnerability (CVE-2020-11974).
CVE-2020-11974 is related to the mysql connectorj remote code execution vulnerability, which allows attackers to remotely execute code on the DolphinScheduler server by entering {"detectCustomCollations": true, "autoDeserialize": true} through the jdbc connect parameter when selecting mysql as the database.
CVE-2020-13922 causes ordinary users to overwrite the passwords of other users in the DolphinScheduler system through api interface: api interface / dolphinscheduler/users/update
4. Scope of influence
Apache DolphinScheduler permission coverage vulnerability (CVE-2020-13922) affected version Apache DolphinScheduler = 1.2.0, 1.2.1, 1.3.1 unaffected version Apache DolphinScheduler > = 1.3.2
-
Apache DolphinScheduler remote execution Code vulnerability (CVE-2020-11974) affected version Apache DolphinScheduler = 1.2.0 1.2.1 unaffected version Apache DolphinScheduler > = 1.3.1
5. Repair suggestion
At present, officials have fixed this vulnerability in the latest version. Please upgrade the affected users to version 1.3.2 for protection as soon as possible. Official download link: https://dolphinscheduler.apache.org/zh-cn/docs/release/download.html
The above is an example analysis of high-risk vulnerabilities in Apache DolphinScheduler. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.