CVE-2020-13921
📋 TL;DR
This SQL injection vulnerability in Apache SkyWalking allows attackers to execute arbitrary SQL commands when using H2, MySQL, or TiDB as storage backends. It specifically affects wildcard query functionality, potentially leading to data theft, modification, or complete system compromise. Only deployments using these specific database backends are affected.
💻 Affected Systems
- Apache SkyWalking
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data exfiltration, modification, or deletion; potential remote code execution depending on database configuration and privileges.
Likely Case
Unauthorized data access and potential data manipulation within the SkyWalking database.
If Mitigated
Limited impact with proper network segmentation, database user privilege restrictions, and input validation in place.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity. The vulnerability is in wildcard query functionality which may require specific API access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.0 and later
Vendor Advisory: https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E
Restart Required: Yes
Instructions:
1. Upgrade to SkyWalking 8.1.0 or later. 2. Stop SkyWalking services. 3. Replace with patched version. 4. Restart services. 5. Verify functionality.
🔧 Temporary Workarounds
Database User Privilege Restriction
allLimit database user permissions to minimum required operations
-- Example MySQL command: REVOKE ALL PRIVILEGES ON skywalking.* FROM 'skywalking_user'@'%';
-- GRANT SELECT, INSERT, UPDATE, DELETE ON skywalking.* TO 'skywalking_user'@'%';
Network Access Control
linuxRestrict access to SkyWalking API endpoints
# Example iptables rule: iptables -A INPUT -p tcp --dport 12800 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 12800 -j DROP
🧯 If You Can't Patch
- Switch to PostgreSQL or Elasticsearch storage backends which are not vulnerable
- Implement Web Application Firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check SkyWalking version and storage backend configuration. Vulnerable if version < 8.1.0 AND using H2/MySQL/TiDB backend.Check Version:
Check SkyWalking OAP server logs or configuration files for version informationVerify Fix Applied:
Confirm SkyWalking version is 8.1.0 or later and test wildcard query functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed wildcard query attempts
- Unexpected database error messages
Network Indicators:
- Unusual traffic patterns to SkyWalking API endpoints
- SQL injection patterns in HTTP requests
SIEM Query:
source="skywalking.logs" AND ("SQL error" OR "syntax error" OR "wildcard query")🔗 References
- http://www.openwall.com/lists/oss-security/2020/08/05/3
- https://github.com/apache/skywalking/pull/4970
- https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/08/05/3
- https://github.com/apache/skywalking/pull/4970
- https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E
