CVE-2023-35088
📋 TL;DR
This CVE describes an SQL injection vulnerability in Apache InLong's toAuditCkSql method where user-controlled parameters (groupId, streamId, auditId, dt) are directly concatenated into SQL queries without proper sanitization. Attackers can exploit this to execute arbitrary SQL commands on the database. All Apache InLong deployments running versions 1.4.0 through 1.7.0 are affected.
💻 Affected Systems
- Apache InLong
📦 What is this software?
Inlong by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise allowing data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized data access, data exfiltration, and potential database manipulation depending on attacker's SQL payload.
If Mitigated
Limited impact with proper network segmentation, database permissions, and input validation at other layers.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with readily available tools. The vulnerability requires access to the affected endpoint but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0
Vendor Advisory: https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
Restart Required: Yes
Instructions:
1. Backup your current InLong configuration and data. 2. Download Apache InLong 1.8.0 from the official Apache website. 3. Stop the InLong service. 4. Replace the installation with version 1.8.0. 5. Restore configuration if needed. 6. Start the InLong service. 7. Verify the fix by checking the version and testing the affected functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement application-level input validation to sanitize groupId, streamId, auditId, and dt parameters before they reach the vulnerable method.
Database Firewall Rules
allConfigure database firewall or WAF to block SQL injection patterns targeting the affected endpoints.
🧯 If You Can't Patch
- Implement strict input validation at the application layer for all parameters passed to toAuditCkSql method.
- Restrict network access to InLong instances using firewalls and ensure they're not directly internet-facing.
🔍 How to Verify
Check if Vulnerable:
Check your Apache InLong version. If it's between 1.4.0 and 1.7.0 inclusive, you are vulnerable.Check Version:
Check InLong configuration files or use the InLong API/UI to determine the running version.Verify Fix Applied:
After upgrading to 1.8.0, verify the version and test that SQL injection attempts on the affected parameters are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or parameter manipulation in application logs
- Unexpected database errors containing SQL syntax
Network Indicators:
- Unusual traffic patterns to InLong endpoints
- Requests containing SQL keywords (SELECT, UNION, DROP, etc.) in parameters
SIEM Query:
source="inlong_logs" AND (message="*SQL*" OR message="*syntax*" OR parameters="*SELECT*" OR parameters="*UNION*")🔗 References
- http://seclists.org/fulldisclosure/2023/Jul/43
- http://www.openwall.com/lists/oss-security/2023/07/25/4
- https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
- http://seclists.org/fulldisclosure/2023/Jul/43
- http://www.openwall.com/lists/oss-security/2023/07/25/4
- https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
