This is an automated email from the ASF dual-hosted git repository.
zhangliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shardingsphere.git
The following commit(s) were added to refs/heads/master by this push:
new 7a54e32510a Update documents about security (#20977)
7a54e32510a is described below
commit 7a54e32510a4a86f3f308f2db1396095f5c817a9
Author: 吴伟杰 <[email protected]>
AuthorDate: Wed Sep 14 18:39:25 2022 +0800
Update documents about security (#20977)
---
docs/community/content/security/_index.cn.md | 30 ++++++++++++++++++++++++++++
docs/community/content/security/_index.en.md | 30 ++++++++++++++++++++++++++++
2 files changed, 60 insertions(+)
diff --git a/docs/community/content/security/_index.cn.md
b/docs/community/content/security/_index.cn.md
index 4f3c3c987d2..04bfb374a52 100644
--- a/docs/community/content/security/_index.cn.md
+++ b/docs/community/content/security/_index.cn.md
@@ -11,3 +11,33 @@ Apache Software Foundation 在消除其软件项目中的安全问题方面采
在邮件中请指明项目名称为 ShardingSphere 和其旗下产品名称 ShardingSphere-JDBC 或
ShardingSphere-Proxy,并提供相关问题或潜在威胁的描述。同时推荐重现和复制安全问题的方法。在评估和分析调查结果后,Apache 安全团队和
ShardingSphere 社区将直接与您回复。
**请注意** 在提交安全邮件之前,请勿在公共领域披露安全电子邮件报告的安全问题。
+
+ShardingSphere-JDBC 并不直接对外提供服务,需要用户编写代码才能够使用。由于用户场景复杂多样,ShardingSphere
无法控制用户如何编写使用 ShardingSphere-JDBC 的代码。因此,ShardingSphere 社区**不接受任何因使用不当导致
ShardingSphere-JDBC 被利用的安全问题报告**。
+例如,用户在项目中引入了存在安全漏洞的 MySQL Connector/J,并信任了外部输入的 JDBC URL 作为
ShardingSphere-JDBC 的数据源配置。
+
+ShardingSphere-Proxy
以数据库协议对外提供服务,并提供了基于用户密码的认证方式。用户需要自行保证用户密码安全。因此,ShardingSphere 社区**不接受任何以攻击者已知
ShardingSphere-Proxy 用户密码为前提的安全问题报告**。
+
+ShardingSphere 集群模式依赖 ZooKeeper 等中间件,且信任用户提供的中间件。对于 ZooKeeper
等中间件的安全防护,用户需要自行保障。因此,ShardingSphere 社区**不接受 ZooKeeper 等中间件被攻击导致 ShardingSphere
被利用的安全问题报告**。
+
+第三方依赖安全建议:
+对于 ShardingSphere 发布版本默认不包含的依赖,需要用户自行保证依赖的安全性。
+例如:ShardingSphere 发布版本默认不包含 MySQL Connector/J,因此 ShardingSphere 不接受任何由于 MySQL
Connector/J 本身漏洞导致 ShardingSphere 被利用的安全问题报告。
+对于其他 ShardingSphere 发布版本默认不包含的依赖同理。
+
+对于 ShardingSphere 子项目的安全建议:
+由于 ShardingSphere-UI 已不再维护,ShardingSphere 社区将**不再接受任何与 ShardingSphere-UI
相关的安全问题报告**。
+
+ElasticJob 依赖 ZooKeeper,且信任用户提供的 ZooKeeper。对于 ZooKeeper
等中间件的安全防护,用户需要自行保障。因此,ShardingSphere 社区**不接受 ZooKeeper 被攻击导致 ElasticJob
被利用的安全问题报告**。
+
+ElasticJob-UI
旨在为用户提供一个便捷的作业管控平台。该平台向开发、运维人员提供服务,并非直接为互联网用户提供服务,建议用户仅在内网部署,并避免用户密码泄漏。ShardingSphere
社区**不接受任何以攻击者已知用户密码为前提的安全问题报告**。
+
+在提交安全问题报告之前,请参考 ShardingSphere 及子项目过去已发布的 CVE,避免重复提交。
+
+ShardingSphere:
+[CVE-2020-1947](https://www.cve.org/CVERecord?id=CVE-2020-1947)
+
+ShardingSphere-UI:
+[CVE-2021-26558](https://www.cve.org/CVERecord?id=CVE-2021-26558)
+
+ElasticJob-UI
+[CVE-2022-22733](https://www.cve.org/CVERecord?id=CVE-2022-22733)
diff --git a/docs/community/content/security/_index.en.md
b/docs/community/content/security/_index.en.md
index 7d824be18e8..bd6abd13b4e 100644
--- a/docs/community/content/security/_index.en.md
+++ b/docs/community/content/security/_index.en.md
@@ -16,3 +16,33 @@ You are also urged to recommend how to reproduce and
replicate the issue.
The Apache Security Team and the ShardingSphere community will get back to you
after assessing and analyzing the findings.
**Please note** that the security issue should be reported on the security
email first, before disclosing it on any public domain.
+
+ShardingSphere-JDBC does not directly provide external services, and users
need to write code to use it. Due to the complexity and variety of user
scenarios, ShardingSphere cannot control how users write code that uses
ShardingSphere-JDBC. Therefore, the ShardingSphere community **does not accept
any security issue reports that ShardingSphere-JDBC is exploited due to
improper use**.
+For example, the user introduced MySQL Connector/J with security
vulnerabilities in the project, and trusted the externally input JDBC URL as
the data source configuration of ShardingSphere-JDBC.
+
+ShardingSphere-Proxy provides external services through database protocol and
provides authentication method based on user password. Users need to ensure the
security of user passwords by themselves. Therefore, the ShardingSphere
community **does not accept any security issue report that presupposes that the
attacker knows the ShardingSphere-Proxy user password**.
+
+ShardingSphere cluster mode relies on middleware such as ZooKeeper, and trusts
the middleware provided by users. For the security protection of middleware
such as ZooKeeper, users need to protect themselves. Therefore, the
ShardingSphere community **does not accept security issue reports that
ShardingSphere is exploited due to middleware such as ZooKeeper being
attacked**.
+
+Third-party dependency security advice:
+For dependencies that are not included by default in the ShardingSphere
release version, users are required to ensure the security of dependencies.
+For example, the release version of ShardingSphere does not include MySQL
Connector/J by default, so ShardingSphere does not accept any security issue
report that ShardingSphere is exploited due to the vulnerability of MySQL
Connector/J itself.
+The same is true for dependencies that are not included by default in other
ShardingSphere releases.
+
+Security recommendations for the ShardingSphere subproject:
+Since ShardingSphere-UI is no longer maintained, the ShardingSphere community
**will no longer accept any security issue reports related to
ShardingSphere-UI**.
+
+ElasticJob relies on ZooKeeper and trusts the ZooKeeper provided by the user.
For the security protection of middleware such as ZooKeeper, users need to
protect themselves. Therefore, the ShardingSphere community **does not accept
the security issue report of ElasticJob being exploited due to ZooKeeper
attack**.
+
+ElasticJob-UI aims to provide users with a convenient job management and
control platform. The platform provides services to developers and operation
and maintenance personnel, not directly to Internet users. It is recommended
that users deploy only on the intranet and avoid leakage of user passwords. The
ShardingSphere community **does not accept any security issue reports that
presuppose that the attacker knows the user's password**.
+
+Before submitting a security issue report, please refer to the CVEs released
by ShardingSphere and its sub-projects in the past to avoid repeated
submissions.
+
+ShardingSphere:
+[CVE-2020-1947](https://www.cve.org/CVERecord?id=CVE-2020-1947)
+
+ShardingSphere-UI:
+[CVE-2021-26558](https://www.cve.org/CVERecord?id=CVE-2021-26558)
+
+ElasticJob-UI
+[CVE-2022-22733](https://www.cve.org/CVERecord?id=CVE-2022-22733)
