Thank you for your reminder, we will release a fix version, refer to the Apache DolphinScheduler CVE-2020-11974 patch you provided to fix this RCE Vulnerability
Qing Xu <emyiq...@gmail.com> 于2022年9月3日周六 22:35写道: > Hi, > > There may be potential RCE vulnerabilities in the Apache Linkis JDBC > Engine. > This attack technique is called: JDBC Attack > > The key to the issue is whether the jdbc url is completely trusted. > Therefore, this is a potential vulnerability, but it is necessary to fix it. > > You can refer to: > (1) https://su18.org/post/jdbc-connection-url-attack/ > (2) > https://pyn3rd.github.io/2022/06/06/Make-JDBC-Attacks-Brillian-Again-I/ > > In the case of jdbc url with malicious parameters, deserialization > vulnerability will be caused. Therefore, the parameters in the jdbc url > should be blacklisted. For example, autoDeserialize should not be added to > jdbc url. > > I think the repair plan can use blacklist, if there is autoDeserialize and > other malicious parameters, it should throw exceptions. > > You can refer to Apache DolphinScheduler CVE-2020-11974 patch: > > https://github.com/apache/dolphinscheduler/blob/dev/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-mysql/src/main/java/org/apache/dolphinscheduler/plugin/datasource/mysql/param/MySQLDataSourceProcessor.java > > From the perspective of MySQL and JDBC, the autoDeserialize parameter is > a reasonable feature and does not need to be prohibited, although it is > dangerous. > But from the perspective of Apache Linkis, is this parameter required? > Maybe not, this is a very rare requirement. From a security perspective, it > makes sense to disable it. > > The key to whether this issue should be fixed lies in: > Whether the jdbc url source is completely safe. For example, it can only > be configured in xml/yaml before startup or static code by developers. > > If there is a dynamic configuration way or an unsafe input source, it will > be a serious security problem and must be fixed. > Assuming that it only comes from the static configuration of the > developer, it may be safe. > > It seems that there is a function of dynamic configuration in Apache > Linkis, as jdbc url can be configured on the web page, so I think there is > a vulnerability. > > Finally, I'm not sure if this email is correct. If you receive the email, > I hope you can reply to me immediately. If you don't receive the reply, I > will try to send it to secur...@apache.org. > > Kind Regards >
