You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by lidong dai <li...@apache.org> on 2020/09/10 08:45:25 UTC

[CVE-2020-11974] Apache DolphinScheduler (incubating) Remote Code execution vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
DolphinScheduler  1.2.0  1.2.1


Description:

it's related with mysql connectorj remote code execution vulnerability when
choosing mysql as database, the detail info please refer:
https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/
and we have fixed in PR (
https://github.com/apache/incubator-dolphinscheduler/pull/2728)


Mitigation: 1.2.0 and 1.2.1 users should upgrade to >=1.3.1


Example: An Attacker can execute code remotely in the DolphinScheduler
server through jdbc connect parameters input
{"detectCustomCollations":true,"autoDeserialize":true}

Credit:  This issue was discovered by WuXiong of QI’ANXIN YunYing Lab.



Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai
lidongdai@apache.org
---------------

Re: [CVE-2020-11974] Apache DolphinScheduler (incubating) Remote Code execution vulnerability

Posted by "lgcareer2019@outlook.com" <lg...@outlook.com>.

[CVEID]:CVE-2020-11974
[PRODUCT]:Apache DolphinScheduler(Incubating)
[VERSION]:Apache DolphinScheduler(Incubating) 1.2.0 and 1.2.1
[PROBLEMTYPE]:Remote Code execution vulnerability
[REFERENCES]:https://lists.apache.org/thread.html/rcbe4c248ef0c566e99fd19388a6c92aeef88167286546b675e9b1769%40%3Cdev.dolphinscheduler.apache.org%3E
[DESCRIPTION]:it's related with mysql connectorj remote code execution vulnerability
when choosing mysql as database, the detail info please refer:
https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/
and we have fixed in PR
(https://github.com/apache/incubator-dolphinscheduler/pull/2728)



Best Regards

DolphinScheduler(Incubator) PPMC
Gang Li 李岗

lgcareer@apache.org
 
From: lidong dai
Date: 2020-09-10 16:45
To: announce
CC: Apache Security Team; dev; 伍 雄
Subject: [CVE-2020-11974] Apache DolphinScheduler (incubating) Remote Code execution vulnerability
Severity: Important
 
Vendor: The Apache Software Foundation
 
Versions Affected:
DolphinScheduler  1.2.0  1.2.1
 
 
Description:
 
it's related with mysql connectorj remote code execution vulnerability when
choosing mysql as database, the detail info please refer:
https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/
and we have fixed in PR (
https://github.com/apache/incubator-dolphinscheduler/pull/2728)
 
 
Mitigation: 1.2.0 and 1.2.1 users should upgrade to >=1.3.1
 
 
Example: An Attacker can execute code remotely in the DolphinScheduler
server through jdbc connect parameters input
{"detectCustomCollations":true,"autoDeserialize":true}
 
Credit:  This issue was discovered by WuXiong of QI’ANXIN YunYing Lab.
 
 
 
Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai
lidongdai@apache.org
---------------