On March 10th, the Apache ShardingSphere library released a new version 4.0.1, which fixed a remote code execution vulnerability (CVE-2020-1947). After logging in to the management background, an attacker can implement remote code execution by submitting malicious YAML code.
ShardingSphere is an open-source ecosystem consisted of a set of distributed database middleware solutions, including 2 independent products, Sharding-JDBC & Sharding-Proxy & Sharding-Sidecar (todo). They all provide functions of data sharding, distributed transaction and database orchestration, applicable in a variety of situations such as Java isomorphism, heterogeneous language and cloud native.
- Apache ShardingSphere version <4.0.1
Apache ShardingSphere has restricted the YAML illegal class by adding classfilter in the latest version 4.0.1 and fixed this vulnerability. Related users are requested to upgrade to the latest version as soon as possible to fix this vulnerability.