Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the Apache SkyWalking SQL injection vulnerability CVE-2020-13921. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Introduction of Apache SkyWalking components

SkyWalking is an observational analysis platform and application performance management system. Provide integrated solutions for distributed tracking, service grid telemetry analysis, measurement aggregation and visualization. Java, .net Core, PHP, NodeJS, Golang, LUA language probes are supported. Service Mesh built by Envoy + Istio is supported. It has a variety of monitoring methods, language probes and service mesh; lightweight and efficient without big data; modular design, UI, storage, cluster management mechanisms are optional; six language automatic probes; support alarm; provide excellent visualization program features, in the domestic Internet, banking, civil aviation and other fields have a wide range of applications.

Vulnerability description

Recently, Apache SkyWalking officially released the latest version of SkyWalking 8.1.0, which fixed a SQL injection vulnerability (CVE-2020-13921). In multiple versions of SkyWalking, the unauthorized GraphQL interface is turned on by default, and when H2 / MySQL / TiDB is used as Apache SkyWalking storage, an attacker can construct a wildcard query statement for SQL injection, resulting in the disclosure of the user's database sensitive information.

Loophole recurrence

If you send a specially constructed HTTP request to the Apache Skywalking environment with this vulnerability, you can see the database error echo. The effect is as follows:

Scope of influence

Currently affected Apache SkyWalking versions:

Apache SkyWalking 6.0. 0. 6. 0.

Apache SkyWalking 7.0.0

Apache SkyWalking 8.0.08. 0.1

Repair suggestion

The vendor has fixed this vulnerability in SkyWalking version 8.1.0. Refer to the link:

Https://github.com/apache/skywalking/releases

On how to carry out Apache SkyWalking SQL injection vulnerability CVE-2020-13921 analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.