CVE-2020-11974 – CVE-2020-11974 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2020-11974?

CVE-2020-11974 has a CVSS score of 9.8 (CRITICAL). CVE-2020-11974 is a remote code execution vulnerability in DolphinScheduler 1.2.0 and 1.2.1 when configured with MySQL as the database. Attackers can exploit this vulnerability to execute arbitrary code on affected systems, potentially compromising the entire server. Organizations running vulnerable versions with MySQL database connections are at risk.

📋 TL;DR

CVE-2020-11974 is a remote code execution vulnerability in DolphinScheduler 1.2.0 and 1.2.1 when configured with MySQL as the database. Attackers can exploit this vulnerability to execute arbitrary code on affected systems, potentially compromising the entire server. Organizations running vulnerable versions with MySQL database connections are at risk.

💻 Affected Systems

Products:

Apache DolphinScheduler

Versions: 1.2.0 through 1.2.1

Operating Systems: All operating systems running DolphinScheduler

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when MySQL is used as the database backend. Other database configurations are not affected.

📦 What is this software?

Dolphinscheduler by Apache

View all CVEs affecting Dolphinscheduler →

Dolphinscheduler by Apache

View all CVEs affecting Dolphinscheduler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though exploitation could still occur.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable without authentication, making them prime targets for attackers.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or attackers who have gained initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the MySQL connector implementation and can be exploited without authentication. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.0 and later

Vendor Advisory: https://lists.apache.org/thread.html/r0de5e3d5516467c9429a8d4356eca17ccf156337345ac6b104748acb%40%3Ccommits.dolphinscheduler.apache.org%3E

Restart Required: Yes

Instructions:

1. Backup your current DolphinScheduler configuration and data. 2. Download and install DolphinScheduler version 1.3.0 or later from the official Apache repository. 3. Apply your configuration to the new version. 4. Restart the DolphinScheduler service. 5. Verify the service is running correctly.

🔧 Temporary Workarounds

Switch to PostgreSQL Database

all

Migrate from MySQL to PostgreSQL database backend, which is not affected by this vulnerability.

# Backup MySQL data
# Install PostgreSQL
# Configure DolphinScheduler to use PostgreSQL
# Migrate data from MySQL to PostgreSQL
# Restart DolphinScheduler

Network Isolation

linux

Restrict network access to DolphinScheduler instances to only trusted IP addresses.

# Example iptables rule: iptables -A INPUT -p tcp --dport [DolphinScheduler_port] -s [trusted_ip] -j ACCEPT
# Deny all other access: iptables -A INPUT -p tcp --dport [DolphinScheduler_port] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to only necessary users and systems.
Deploy web application firewall (WAF) rules to block exploitation attempts and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check the DolphinScheduler version and database configuration. If running version 1.2.0 or 1.2.1 with MySQL database, the system is vulnerable.

Check Version:

Check the DolphinScheduler web interface or configuration files for version information, or run: grep version /path/to/dolphinscheduler/conf/application.properties

Verify Fix Applied:

Verify the DolphinScheduler version is 1.3.0 or later and confirm the service is running without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual database connection attempts
Unexpected process execution
Error messages related to MySQL connector or database operations

Network Indicators:

Suspicious network traffic to DolphinScheduler ports from untrusted sources
Unexpected outbound connections from DolphinScheduler server

SIEM Query:

source="dolphinscheduler.log" AND ("mysql" OR "connector" OR "database") AND ("error" OR "exception" OR "unexpected")

📊 Metadata

CVE ID: CVE-2020-11974

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: December 18, 2020

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON