On August 5, 2020, Tencent Force (force.tencent.com) researched and discovered that Apache SkyWalking had a SQL injection vulnerability (CVE-2020-13921). A new version has been officially released to fix this vulnerability.
To avoid impact on your business, Tencent Security recommends you conduct a security inspection in time. If your business is affected, please update and fix the vulnerabilities promptly to prevent intrusions by attackers. For more information, please see Affected Versions.
Apache SkyWalking is an application performance monitor (APM) tool that provides automated and high-performance monitoring solutions for microservices, cloud native, and container-based applications. Its official website shows that it is being used by a large number of Chinese companies in the internet, banking, and civil aviation sectors.
In multiple versions of SkyWalking, unauthorized GraphQL APIs are opened by default, through which attackers can construct malicious request packets for SQL injection, resulting in the leakage of sensitive information in the user database. In view of the greater impact of this vulnerability, we recommend you fix it as soon as possible.
Through SQL injection, attackers can steal sensitive information on servers.
Apache SkyWalking 8.1.0
A new version has been officially released to fix this vulnerability. Tencent Security recommends you:
Tencent Cloud WAF supports detection of and defense against attacks through this SkyWalking SQL injection vulnerability.
If needed, you can find more information of the vulnerability here.