Shulou(Shulou.com)05/31 Report--

What this article shares with you is the case analysis of Apache DolphinScheduler high-risk vulnerabilities CVE-2020-11974 and CVE-2020-13922. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Without saying much, let's take a look at it.

1. Summary of vulnerabilities

Vulnerability name

Apache DolphinScheduler high-risk vulnerabilities CVE-2020-11974, CVE-2020-13922

Threat level

High risk

Scope of influence

Apache DolphinScheduler permission override vulnerability (CVE-2020-13922):

Apache DolphinScheduler = 1.2.0, 1.2.1, 1.3.1

Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974):

Apache DolphinScheduler = 1.2.0,1.2.1

Vulnerability type

Privilege escalation and remote code execution

Utilization difficulty

Unknown

II. Vulnerability Analysis 2.1 introduction of Apache DolphinScheduler components

Apache DolphinScheduler (incubator, formerly EasyScheduler) is a distributed workflow task scheduling system, which mainly solves the complex dependency relationship of data research and development ETL, and can not directly monitor the health status of tasks. DolphinScheduler assembles Task in the way of DAG streaming, which can monitor the running status of tasks in real time, and support operations such as retry, failed recovery from specified nodes, pauses and Kill tasks.

2.2 vulnerability description

The Apache Software Foundation issued a security bulletin on September 11th, fixing the Apache DolphinScheduler privilege coverage vulnerability (CVE-2020-13922) and the Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974).

CVE-2020-11974 is related to the mysql connectorj remote code execution vulnerability, which allows attackers to remotely execute code on the DolphinScheduler server by entering {"detectCustomCollations": true, "autoDeserialize": true} through the jdbc connect parameter when selecting mysql as the database. CVE-2020-13922 causes ordinary users to overwrite the passwords of other users in the DolphinScheduler system through api interface: api interface / dolphinscheduler/users/update.

III. Scope of influence

The affected version of the Apache DolphinScheduler privilege override vulnerability (CVE-2020-13922):

Apache DolphinScheduler = 1.2.0, 1.2.1, 1.3.1

Apache DolphinScheduler remote execution code vulnerability (CVE-2020-11974) affected version:

Apache DolphinScheduler = 1.2.0,1.2.1

Solution 4.1 repair recommendations

Currently, the manufacturer has fixed the vulnerability in the new version:

Patch download link:

Https://dolphinscheduler.apache.org/

Apache DolphinScheduler permission override vulnerability (CVE-2020-13922)

Users should upgrade to:

Apache DolphinScheduler > = 1.3.2

Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974)

Users should upgrade to:

Apache DolphinScheduler > = 1.3.1

The above is the example analysis of Apache DolphinScheduler high-risk vulnerabilities CVE-2020-11974 and CVE-2020-13922. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.