Service Notices

All Notices > Security Notices > Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Aug 07, 2020 GMT+08:00

I. Overview

Apache SkyWalking has officially released the latest SkyWalking 8.10 version and fixed an SQL injection vulnerability (CVE-2020-13921). When H2/MySQL/TiDB is used as Apache SkyWalking storage, an SQL injection vulnerability exists in the wildcard query cases in some SkyWalking versions. This vulnerability allows attackers to send special request packets to perform SQL injection, causing database information leakage risks.

If you are an Apache SkyWalking user, check your service and implement timely security hardening.

Reference link:

https://github.com/apache/skywalking/pull/4970

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache SkyWalking 8.0.0 to 8.0.1

Apache SkyWalking 7.0.0

Apache SkyWalking 6.0.0 to 6.6.0

Secure version:

Apache SkyWalking 8.1.0

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

Download link: https://github.com/apache/skywalking/releases

The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, can defend against attacks exploiting this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.