tencent cloud

Web Application Firewall

Release Notes and Announcements
Release Notes
Product Announcement
Security Advisory
Product Introduction
Overview
Product Category
Strengths
Scenarios
Plans and Editions
Supported Regions
Basic Concepts
Getting Started
Getting Started
FAQs for Beginners
Operation Guide
Overview
Connection Management
Security Operations
Protection Policies
Service Settings
사례 튜토리얼
WAF CCP Overview
Bot Management
API Security
Integration
Protection Configuration
FAQS
Product Consultation
Connection
Usage
Permissions
Sandbox Isolation Status
WAF 정책
개인 정보 보호 정책
데이터 처리 및 보안 계약
문서Web Application FirewallRelease Notes and Announcements Security AdvisoryNotice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

PDF
포커스 모드
폰트 크기
마지막 업데이트 시간: 2022-06-23 11:14:27
On August 5, 2020, Tencent Force (force.tencent.com) researched and noticed that Apache SkyWalking had a SQL injection vulnerability (CVE-2020-13921). A new version has been officially released to fix this vulnerability.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers. For more information, see Affected Versions.

Vulnerability Details

Apache SkyWalking is an application performance monitor (APM) tool that provides automated and high-performance monitoring solutions for microservices, cloud native, and container-based applications. Its official website shows that it is being used by a large number of Chinese companies in the internet, banking, and civil aviation sectors.
In multiple versions of SkyWalking, unauthorized GraphQL APIs are opened by default, through which attackers can construct malicious request packets for SQL injection, resulting in the leakage of sensitive information in the user database. In view of the greater impact of this vulnerability, we recommend you fix it as soon as possible.

Risk Level

High Risk

Vulnerability Risk

Through SQL injection, attackers can steal sensitive information on servers.

Affected Versions

Apache SkyWalking 6.0.0–6.6.0
Apache SkyWalking 7.0.0
Apache SkyWalking 8.0.0–8.0.1

Fix

Apache SkyWalking 8.1.0

Suggestions for Fix

A new version has been officially released to fix this vulnerability. Tencent Security recommends you:
Recommended solution: Upgrade to Apache SkyWalking 8.1.0 or later.
Temporary mitigation: If the upgrade is temporarily impossible, as a mitigation measure, we recommend you restrain exposing the GraphQL APIs of Apache SkyWalking to the public network or add a layer of authentication on top of such APIs. -Recommendation for organizational users: Use Tencent Security services to detect and block attacks through this Apache SkyWalking SQL injection vulnerability.
Tencent Cloud WAF supports detection of and defense against attacks through this SkyWalking SQL injection vulnerability.

References

If needed, you can find more information of the vulnerability here.
이전 주제: Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)다음 주제: Overview

도움말 및 지원

문제 해결에 도움이 되었나요?

피드백