CVE-2020-1947: Apache ShardingSphere Remote Code Execution Vulnerability Alert

On March 10th, the Apache ShardingSphere library released a new version 4.0.1, which fixed a remote code execution vulnerability (CVE-2020-1947). After logging in to the management background, an attacker can implement remote code execution by submitting malicious YAML code.

ShardingSphere is an open-source ecosystem consisted of a set of distributed database middleware solutions, including 2 independent products, Sharding-JDBC & Sharding-Proxy & Sharding-Sidecar (todo). They all provide functions of data sharding, distributed transaction and database orchestration, applicable in a variety of situations such as Java isomorphism, heterogeneous language and cloud native.

Affected version

  • Apache ShardingSphere version <4.0.1

Solution

Apache ShardingSphere has restricted the YAML illegal class by adding classfilter in the latest version 4.0.1 and fixed this vulnerability. Related users are requested to upgrade to the latest version as soon as possible to fix this vulnerability.