You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by ki...@apache.org on 2021/10/26 03:28:13 UTC
[dolphinscheduler-website] branch master updated: Add Vulnerability
Explanation Blog (#471)
This is an automated email from the ASF dual-hosted git repository.
kirs pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler-website.git
The following commit(s) were added to refs/heads/master by this push:
new 0bdc77b Add Vulnerability Explanation Blog (#471)
0bdc77b is described below
commit 0bdc77b3817456eabe5c1d7d49a38ab3faa04953
Author: lifeng <53...@users.noreply.github.com>
AuthorDate: Tue Oct 26 11:28:07 2021 +0800
Add Vulnerability Explanation Blog (#471)
* updata blog jinyong
updata blog jinyong
* up date blog.js
* updata bolg.js list
rt
* Add Introducing Apache DolphinScheduler 1.3.9
Add Introducing Apache DolphinScheduler 1.3.9
* add blog.js
add blog.js
Co-authored-by: Kirs <ac...@163.com>
Co-authored-by: CalvinKirs <ki...@apache.org>
---
.../DolphinScheduler Vulnerability Explanation.md | 62 ++++++++++++++++++++++
.../Introducing Apache DolphinScheduler 1.3.9.md | 3 --
...203\205\345\206\265\350\257\264\346\230\216.md" | 43 +++++++++++++++
site_config/blog.js | 21 ++++++++
4 files changed, 126 insertions(+), 3 deletions(-)
diff --git a/blog/en-us/DolphinScheduler Vulnerability Explanation.md b/blog/en-us/DolphinScheduler Vulnerability Explanation.md
new file mode 100644
index 0000000..a31c641
--- /dev/null
+++ b/blog/en-us/DolphinScheduler Vulnerability Explanation.md
@@ -0,0 +1,62 @@
+[Security Notice] [Low:impact] DolphinScheduler Vulnerability Explanation
+
+
+The Apache DolphinScheduler community mailing list recently reported a vulnerability. Considering that many users have not subscribed to this mailing list, we hereby explain the situation:
+
+
+CVE-2021-27644
+
+
+Importance: Low
+
+
+Scope of impact: The exposed service is on the external network and the internal account is leaked. If none of the above, the user can decide whether to upgrade according to the actual demand.
+
+Affected version: <1.3.6
+
+Vulnerability description:
+
+
+This problem is caused by a vulnerability in mysql connectorj. Logged-in users of DolphinScheduler (users who are not logged in cannot perform this operation. It is recommended that companies conduct account security specifications) can fill in malicious parameters that cause security risks on the data source management page-Mysql data source. (Not affected if Mysql data source is not used)
+
+
+Repair suggestion: upgrade to version >=1.3.6
+
+
+Special thanks to
+
+
+Special thanks to the reporter of the vulnerability: Jin Chen from the Ant Security FG Lab, who restored the process of the vulnerability and provided the corresponding solution. The whole process showed the skills and expertise of professional security personnel, thanks for their contributions to the security guard of open source projects.
+
+
+Suggest
+
+
+Thanks to users for choosing Apache DolphinScheduler as the big data task scheduling system in enterprises, but it must be reminded that the scheduling system belongs to the core infrastructure of big data construction, please do not expose it to the external network. In addition, security measures should be taken for the account of internal personnel in the enterprise to reduce the risk of account leakage.
+
+
+Contribute
+
+
+So far, the Apache DolphinScheduler community has nearly 200+ code contributors and 70+ non-code contributors. Among them, there are also PMC or Committer of other top Apache projects. We embrace more partners to participate in the development of the open source community, working together to build a more stable, safe and reliable big data task scheduling system, and also contributing yourself to the rise of China's open source!
+
+
+WebSite: https://dolphinscheduler.apache.org/
+
+
+MailList: dev@dolphinscheduler@apache.org
+
+
+Twitter: @DolphinSchedule
+
+
+YouTube: https://www.youtube.com/channel/UCmrPmeE7dVqo8DYhSLHa0vA
+
+
+Slack: https://s.apache.org/dolphinscheduler-slack
+
+
+Contributor Guide: https://dolphinscheduler.apache.org/en-us/community/index.html
+
+
+If you have any questions about the vulnerability, welcome to participate in the discussion and we will wholeheartedly resolve your problems.
\ No newline at end of file
diff --git a/blog/en-us/Introducing Apache DolphinScheduler 1.3.9.md b/blog/en-us/Introducing Apache DolphinScheduler 1.3.9.md
index e082e7b..84dc5c6 100644
--- a/blog/en-us/Introducing Apache DolphinScheduler 1.3.9.md
+++ b/blog/en-us/Introducing Apache DolphinScheduler 1.3.9.md
@@ -34,9 +34,6 @@ The detailed user docs for Standalone, please refer to:[1.3.9 standalone-server]
**☆[Fix #6337][Task] Sql limit param no default value**
-
-
-
When the SqlTask is executed, if the limit parameter is not set, the displayed result is empty. Based on this, the default parameters have been added in 1.3.9, and relevant instructions have been made on the log to allow users to track the problem more clearly.
**☆[Bug#6429] [ui] sub_process node open sub_task show empty page #6429**
diff --git "a/blog/zh-cn/DolphinScheduler\346\274\217\346\264\236\346\203\205\345\206\265\350\257\264\346\230\216.md" "b/blog/zh-cn/DolphinScheduler\346\274\217\346\264\236\346\203\205\345\206\265\350\257\264\346\230\216.md"
new file mode 100644
index 0000000..de6504e
--- /dev/null
+++ "b/blog/zh-cn/DolphinScheduler\346\274\217\346\264\236\346\203\205\345\206\265\350\257\264\346\230\216.md"
@@ -0,0 +1,43 @@
+【安全通报】【影响程度:低】DolphinScheduler 漏洞情况说明
+
+Apache DolphinScheduler 社区邮件列表最近通告了 1个漏洞,考虑到有很多用户并未订阅此邮 件列表,我们特地在此进行情况说明:
+
+CVE-2021-27644
+
+重要程度: 低
+
+影响范围: 暴露服务在外网中、且内部账号泄露。如果无上述情况,用户可根据实际情况决定是否需要升级。
+
+影响版本: <1.3.6
+
+漏洞说明:
+
+此问题是由于mysql connectorj 漏洞引起的,DolphinScheduler登陆用户(未登录用户无法执行此操作,建议企业做好账号安全规范)可在数据源管理页面-Mysql数据源填写恶意参数,导致安全隐患。(未使用Mysql数据源的不影响)
+
+修复建议: 升级到>=1.3.6版本
+
+特别感谢
+
+特别感谢漏洞报告者:来自蚂蚁安全非攻实验室的锦辰同学,他提供了漏洞的还原过程以及对应的解决方案。整个过程呈现了专业安全人员的技能和高素质,感谢他们为开源项目的安全守护所作出的贡献。
+
+建议
+
+十分感谢广大用户选择 Apache DolphinScheduler 作为企业的大数据任务调度系统,但必须要提醒的是调度系统属于大数据建设中核心基础设施,请不要将其暴露在外网中。此外应该对企业内部人员账号做好安全措施,降低账号泄露的风险。
+
+贡献
+
+迄今为止,Apache DolphinScheduler 社区已经有近200+ 位代码贡献者,70+位非代码贡献者。其中也不乏其他Apache顶级项目的PMC或者Committer,非常欢迎更多伙伴也能参与到开源社区建设中来,为建造一个更加稳定安全可靠的大数据任务调度系统而努力,同时也为中国开源崛起献上自己的一份力量!
+
+WebSite :https://dolphinscheduler.apache.org/
+
+MailList :dev@dolphinscheduler@apache.org
+
+Twitter :@DolphinSchedule
+
+YouTube :https://www.youtube.com/channel/UCmrPmeE7dVqo8DYhSLHa0vA
+
+Slack :https://s.apache.org/dolphinscheduler-slack
+
+Contributor Guide:https://dolphinscheduler.apache.org/en-us/community/index.html
+
+如果对漏洞有任何疑问,欢迎参与讨论,竭诚解决大家的疑虑:
\ No newline at end of file
diff --git a/site_config/blog.js b/site_config/blog.js
index 242d6d7..39e8015 100644
--- a/site_config/blog.js
+++ b/site_config/blog.js
@@ -3,6 +3,20 @@ export default {
barText: 'Blog',
postsTitle: 'All posts',
list: [
+ {
+ title: 'DolphinScheduler Vulnerability Explanation',
+ author: 'Debar Chen',
+ dateStr: '2021-10-26',
+ desc: 'DolphinScheduler Vulnerability Explanation',
+ link: '/en-us/blog/DolphinScheduler Vulnerability Explanation.html',
+ },
+ {
+ title: 'Introducing Apache DolphinScheduler 1.3.9, StandaloneServer is Available!',
+ author: 'Debar Chen',
+ dateStr: '2021-10-22',
+ desc: 'Introducing Apache DolphinScheduler 1.3.9, StandaloneServer is Available!',
+ link: '/en-us/blog/Introducing Apache DolphinScheduler 1.3.9.html',
+ },
{
title: 'Introducing Apache DolphinScheduler 1.3.9, StandaloneServer is Available!',
author: 'Debar Chen',
@@ -47,6 +61,13 @@ export default {
barText: '博客',
postsTitle: '所有文章',
list: [
+ {
+ title: 'DolphinScheduler漏洞情况说明',
+ author: '徐玮毅',
+ dateStr: '2021-10-26',
+ desc: 'DolphinScheduler漏洞情况说明',
+ link: '/zh-cn/blog/DolphinScheduler漏洞情况说明.html',
+ },
{
title: 'Apache DolphinScheduler 架构演进及开源经验分享',
author: '徐玮毅',