==================================================================== CERT-Renater Note d'Information No. 2020/VULN510 _____________________________________________________________________ DATE : 11/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache DolphinScheduler versions prior to 1.3.2. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/202009.mbox/%3cCANfXzxD4rhO-YHRixQA6F2XuvWLjLLhZGUO4JzsXGWa97WNqKg@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/www-announce/202009.mbox/%3cCANfXzxB+94Pz+K0hOAeCYTonGmgFGj74vCV9gEOL=zhWSx6CSg@mail.gmail.com%3e _____________________________________________________________________ Severity: Important Vendor: The Apache Software Foundation Versions Affected: DolphinScheduler 1.2.0 1.2.1 Description: it's related with mysql connectorj remote code execution vulnerability when choosing mysql as database, the detail info please refer: https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/ and we have fixed in PR ( https://github.com/apache/incubator-dolphinscheduler/pull/2728) Mitigation: 1.2.0 and 1.2.1 users should upgrade to >=1.3.1 Example: An Attacker can execute code remotely in the DolphinScheduler server through jdbc connect parameters input {"detectCustomCollations":true,"autoDeserialize":true} Credit: This issue was discovered by WuXiong of QI’ANXIN YunYing Lab. Best Regards DolphinScheduler(Incubator) PPMC Lidong Dai lidongdai@apache.org _____________________________________________________________________ Severity: Important Vendor: The Apache Software Foundation Versions Affected: DolphinScheduler 1.2.0 1.2.1 1.3.1 Description: The vulnerability discovered is that ordinary user under any tenant can override other user's password through api interface /dolphinscheduler/users/update Mitigation: 1.2.0 、1.2.1 and 1.3.1 users should upgrade to >=1.3.2 Example: An Attacker can get admin permission in the DolphinScheduler System through api interface:id=1&userName=admin&userPassword=Password1!&tenantId=1& email=sdluser%40sdluser.sdluser&phone= Credit: This issue was discovered by xuxiang of DtDream security Best Regards --------------- DolphinScheduler(Incubator) PPMC Lidong Dai 代立冬 dailidong66@gmail.com --------------- Best Regards --------------- DolphinScheduler(Incubator) PPMC Lidong Dai 代立冬 dailidong66@gmail.com --------------- ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================