CVE-2023-49109 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-49109?

CVE-2023-49109 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Apache DolphinScheduler servers due to improper input validation (CWE-94). It affects all users running versions before 3.2.1, potentially enabling full system compromise.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Apache DolphinScheduler servers due to improper input validation (CWE-94). It affects all users running versions before 3.2.1, potentially enabling full system compromise.

💻 Affected Systems

Products:

Apache DolphinScheduler

Versions: All versions before 3.2.1

Operating Systems: All supported OS (e.g., Linux, Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: No specific configuration required; vulnerable out-of-the-box.

📦 What is this software?

Dolphinscheduler by Apache

View all CVEs affecting Dolphinscheduler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized code execution leading to service disruption or data exfiltration.

🟢

If Mitigated

Limited impact if isolated in a segmented network with strict access controls.

🌐 Internet-Facing: HIGH, as it can be exploited remotely without authentication.

🏢 Internal Only: HIGH, due to potential for internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation likely straightforward due to remote and unauthenticated nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1

Vendor Advisory: https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8

Restart Required: Yes

Instructions:

1. Backup data and configurations. 2. Download version 3.2.1 from the official Apache repository. 3. Stop the DolphinScheduler service. 4. Replace the installation with the new version. 5. Restart the service and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to DolphinScheduler to trusted IPs only.

iptables -A INPUT -p tcp --dport <port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <port> -j DROP

🧯 If You Can't Patch

Isolate the system from the internet and untrusted networks.
Implement strict access controls and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check the version in the DolphinScheduler web UI or configuration files; if below 3.2.1, it is vulnerable.

Check Version:

grep version /path/to/dolphinscheduler/conf/application.yaml

Verify Fix Applied:

Confirm the version is 3.2.1 or higher and test functionality for anomalies.

📡 Detection & Monitoring

Log Indicators:

Unusual process executions or errors in DolphinScheduler logs

Network Indicators:

Suspicious inbound requests to DolphinScheduler ports

SIEM Query:

source="dolphinscheduler.log" AND (event="execution" OR error="code injection")

📊 Metadata

CVE ID: CVE-2023-49109

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: February 20, 2024

Last Updated: March 18, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/02/20/4 Mailing List,Third Party Advisory
https://github.com/apache/dolphinscheduler/pull/14991 Issue Tracking,Patch
https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8 Vendor Advisory
https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5 Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/20/4 Mailing List,Third Party Advisory
https://github.com/apache/dolphinscheduler/pull/14991 Issue Tracking,Patch
https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8 Vendor Advisory
https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49109, you might also want to check these: