SQL Injection Vulnerability in Apache SkyWalking (CVE-2020-13921)

Last updated: 2020-12-15 15:20:27

    On August 5, 2020, Tencent Force (force.tencent.com) researched and discovered that Apache SkyWalking had a SQL injection vulnerability (CVE-2020-13921). A new version has been officially released to fix this vulnerability.

    To avoid impact on your business, Tencent Security recommends you conduct a security inspection in time. If your business is affected, please update and fix the vulnerabilities promptly to prevent intrusions by attackers. For more information, please see Affected Versions.

    Vulnerability Details

    Apache SkyWalking is an application performance monitor (APM) tool that provides automated and high-performance monitoring solutions for microservices, cloud native, and container-based applications. Its official website shows that it is being used by a large number of Chinese companies in the internet, banking, and civil aviation sectors.

    In multiple versions of SkyWalking, unauthorized GraphQL APIs are opened by default, through which attackers can construct malicious request packets for SQL injection, resulting in the leakage of sensitive information in the user database. In view of the greater impact of this vulnerability, we recommend you fix it as soon as possible.

    Severity

    High

    Risks

    Through SQL injection, attackers can steal sensitive information on servers.

    Affected Versions

    • Apache SkyWalking 6.0.0–6.6.0
    • Apache SkyWalking 7.0.0
    • Apache SkyWalking 8.0.0–8.0.1

    Fix

    Apache SkyWalking 8.1.0

    Suggestions for Fix

    A new version has been officially released to fix this vulnerability. Tencent Security recommends you:

    • Recommended solution: upgrade to Apache SkyWalking 8.1.0 or above.
    • Temporary mitigation: if the upgrade is temporarily impossible, as a mitigation measure, we recommend you restrain exposing the GraphQL APIs of Apache SkyWalking to the public network or add a layer of authentication on top of such APIs.
    • Recommendation for organizational users: use Tencent Security services to detect and block attacks through this Apache SkyWalking SQL injection vulnerability.

    Tencent Cloud WAF supports detection of and defense against attacks through this SkyWalking SQL injection vulnerability.

    References

    If needed, you can find more information of the vulnerability here.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help