[Security Notice] [Low:impact] DolphinScheduler Vulnerability Explanation

The Apache DolphinScheduler community mailing list recently reported a vulnerability. Considering that many users have not subscribed to this mailing list, we hereby explain the situation:

CVE-2021-27644

Importance: Low

Scope of impact: The exposed service is on the external network and the internal account is leaked. If none of the above, the user can decide whether to upgrade according to the actual demand.

Affected version: <1.3.6

Vulnerability description:

This problem is caused by a vulnerability in mysql connectorj. Logged-in users of DolphinScheduler (users who are not logged in cannot perform this operation. It is recommended that companies conduct account security specifications)  can fill in malicious parameters that cause security risks on the data source management page-Mysql data source. (Not affected if Mysql data source is not used)

Repair suggestion: upgrade to version >=1.3.6

Special thanks to

Special thanks to the reporter of the vulnerability: Jin Chen from the Ant Security FG Lab, who restored the process of the vulnerability and provided the corresponding solution. The whole process showed the skills and expertise of professional security personnel, thanks for their contributions to the security guard of open source projects.

Suggest

Thanks to users for choosing Apache DolphinScheduler as the big data task scheduling system in enterprises, but it must be reminded that the scheduling system belongs to the core infrastructure of big data construction, please do not expose it to the external network. In addition, security measures should be taken for the account of internal personnel in the enterprise to reduce the risk of account leakage.

Contribute

So far, the Apache DolphinScheduler community has nearly 200+ code contributors and 70+ non-code contributors. Among them, there are also PMC or Committer of other top Apache projects. We embrace more partners to participate in the development of the open source community, working together to build a more stable, safe and reliable big data task scheduling system, and also contributing yourself to the rise of China's open source!

WebSite: https://dolphinscheduler.apache.org/

MailList: dev@dolphinscheduler@apache.org

Twitter: @DolphinSchedule

YouTube: https://www.youtube.com/channel/UCmrPmeE7dVqo8DYhSLHa0vA

Slack: https://s.apache.org/dolphinscheduler-slack

Contributor Guide: https://dolphinscheduler.apache.org/en-us/community/index.html

If you have any questions about the vulnerability, welcome to participate in the discussion and we will wholeheartedly resolve your problems.