CVE-2021-27644 – CVE-2021-27644 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-27644?

CVE-2021-27644 has a CVSS score of 8.8 (HIGH). CVE-2021-27644 is a SQL injection vulnerability in Apache DolphinScheduler's data source center that allows authorized users to execute arbitrary SQL commands. This affects MySQL data sources configured with internal login credentials. The vulnerability enables attackers with valid credentials to potentially access, modify, or delete database contents.

📋 TL;DR

CVE-2021-27644 is a SQL injection vulnerability in Apache DolphinScheduler's data source center that allows authorized users to execute arbitrary SQL commands. This affects MySQL data sources configured with internal login credentials. The vulnerability enables attackers with valid credentials to potentially access, modify, or delete database contents.

💻 Affected Systems

Products:

Apache DolphinScheduler

Versions: All versions before 1.3.6

Operating Systems: All platforms running DolphinScheduler

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MySQL data sources configured with internal login accounts. Other database types are not vulnerable.

📦 What is this software?

Dolphinscheduler by Apache

View all CVEs affecting Dolphinscheduler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation to database administrator, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized data access and modification within the DolphinScheduler database, potentially exposing sensitive scheduling data and credentials.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, and restricted database permissions.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, internet-facing instances are more exposed to credential attacks.

🏢 Internal Only: HIGH - Internal authorized users can exploit this vulnerability to gain elevated database access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Standard SQL injection techniques apply once authenticated.

Exploitation requires valid user credentials and access to the data source center functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.6 and later

Vendor Advisory: https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E

Restart Required: Yes

Instructions:

1. Backup your current installation and database. 2. Download DolphinScheduler version 1.3.6 or later from Apache website. 3. Stop the DolphinScheduler service. 4. Replace the installation with the new version. 5. Restart the DolphinScheduler service. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for data source center parameters

Modify source code to validate and sanitize user inputs in data source center functions

Database Permission Restriction

linux

Limit database user permissions to minimum required operations

REVOKE ALL PRIVILEGES ON *.* FROM 'dolphinscheduler'@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON dolphinscheduler.* TO 'dolphinscheduler'@'%';

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict access to data source center functionality to only trusted administrators

🔍 How to Verify

Check if Vulnerable:

Check DolphinScheduler version: if version is less than 1.3.6 and using MySQL data source with internal login, the system is vulnerable.

Check Version:

Check DolphinScheduler web interface or configuration files for version information

Verify Fix Applied:

Verify version is 1.3.6 or later and test data source center functionality with SQL injection test payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by data source center access
Unexpected database schema changes

Network Indicators:

Unusual database connection patterns from DolphinScheduler server
Large data transfers from database

SIEM Query:

source="dolphinscheduler" AND (event="data_source" OR event="sql_execution") AND query CONTAINS "UNION" OR query CONTAINS "SELECT * FROM"

📊 Metadata

CVE ID: CVE-2021-27644

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: November 1, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/11/01/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E Mailing List,Vendor Advisory
https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/11/01/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E Mailing List,Vendor Advisory
https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27644, you might also want to check these: