[CVEID]:CVE-2020-11974 [PRODUCT]:Apache DolphinScheduler(Incubating) [VERSION]:Apache DolphinScheduler(Incubating) 1.2.0 and 1.2.1 [PROBLEMTYPE]:Remote Code execution vulnerability [REFERENCES]:https://lists.apache.org/thread.html/rcbe4c248ef0c566e99fd19388a6c92aeef88167286546b675e9b1769%40%3Cdev.dolphinscheduler.apache.org%3E [DESCRIPTION]:it's related with mysql connectorj remote code execution vulnerability when choosing mysql as database, the detail info please refer: https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/ and we have fixed in PR (https://github.com/apache/incubator-dolphinscheduler/pull/2728)
Best Regards DolphinScheduler(Incubator) PPMC Gang Li 李岗 lgcar...@apache.org From: lidong dai Date: 2020-09-10 16:45 To: announce CC: Apache Security Team; dev; 伍 雄 Subject: [CVE-2020-11974] Apache DolphinScheduler (incubating) Remote Code execution vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: DolphinScheduler 1.2.0 1.2.1 Description: it's related with mysql connectorj remote code execution vulnerability when choosing mysql as database, the detail info please refer: https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/ and we have fixed in PR ( https://github.com/apache/incubator-dolphinscheduler/pull/2728) Mitigation: 1.2.0 and 1.2.1 users should upgrade to >=1.3.1 Example: An Attacker can execute code remotely in the DolphinScheduler server through jdbc connect parameters input {"detectCustomCollations":true,"autoDeserialize":true} Credit: This issue was discovered by WuXiong of QI’ANXIN YunYing Lab. Best Regards --------------- DolphinScheduler(Incubator) PPMC Lidong Dai lidong...@apache.org ---------------
