On August 5, 2020, Tencent Force (force.tencent.com) researched and noticed that Apache SkyWalking had a SQL injection vulnerability (CVE-2020-13921). A new version has been officially released to fix this vulnerability.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers. For more information, see Affected Versions. Vulnerability Details
Apache SkyWalking is an application performance monitor (APM) tool that provides automated and high-performance monitoring solutions for microservices, cloud native, and container-based applications. Its official website shows that it is being used by a large number of Chinese companies in the internet, banking, and civil aviation sectors.
In multiple versions of SkyWalking, unauthorized GraphQL APIs are opened by default, through which attackers can construct malicious request packets for SQL injection, resulting in the leakage of sensitive information in the user database. In view of the greater impact of this vulnerability, we recommend you fix it as soon as possible.
Risk Level
High Risk
Vulnerability Risk
Through SQL injection, attackers can steal sensitive information on servers.
Apache SkyWalking 6.0.0–6.6.0
Apache SkyWalking 7.0.0
Apache SkyWalking 8.0.0–8.0.1
Fix
Apache SkyWalking 8.1.0
Suggestions for Fix
A new version has been officially released to fix this vulnerability. Tencent Security recommends you:
Recommended solution: Upgrade to Apache SkyWalking 8.1.0 or later.
Temporary mitigation: If the upgrade is temporarily impossible, as a mitigation measure, we recommend you restrain exposing the GraphQL APIs of Apache SkyWalking to the public network or add a layer of authentication on top of such APIs.
-Recommendation for organizational users: Use Tencent Security services to detect and block attacks through this Apache SkyWalking SQL injection vulnerability.
Tencent Cloud WAF supports detection of and defense against attacks through this SkyWalking SQL injection vulnerability.
References
If needed, you can find more information of the vulnerability here.
Was this page helpful?