Service Notices
Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
Aug 07, 2020 GMT+08:00
I. Overview
Apache SkyWalking has officially released the latest SkyWalking 8.10 version and fixed an SQL injection vulnerability (CVE-2020-13921). When H2/MySQL/TiDB is used as Apache SkyWalking storage, an SQL injection vulnerability exists in the wildcard query cases in some SkyWalking versions. This vulnerability allows attackers to send special request packets to perform SQL injection, causing database information leakage risks.
If you are an Apache SkyWalking user, check your service and implement timely security hardening.
Reference link:
https://github.com/apache/skywalking/pull/4970
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache SkyWalking 8.0.0 to 8.0.1
Apache SkyWalking 7.0.0
Apache SkyWalking 6.0.0 to 6.6.0
Secure version:
Apache SkyWalking 8.1.0
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
Download link: https://github.com/apache/skywalking/releases
The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, can defend against attacks exploiting this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.