Regarding the situation that XXL-JOB has been reported by major cloud vendors to have remote command execution vulnerabilities, the author of XXL-JOB stated that this issue is not a "vulnerability" in nature, because the official website version already provides authentication components, which can be protected by opening them. The specific response is as follows:
This problem is not a "vulnerability" in nature. The official website version provides an authentication component, which can be protected when it is turned on.
This problem is similar to opening a Mysql or Redis instance to the public network without setting a password. Strictly speaking, it cannot be said that Mysql and Redis have loopholes, just set a password.
In response to this problem, the XXL-JOB author provides the following security protection strategies:
- Turn on the authentication component that comes with XXL-JOB: search for "xxl.job.accessToken" in the official document and enable it according to the document description.
- Port protection: Replace the default actuator port in time. It is not recommended to directly open the default port 9999 to the public network.
- Port access restriction: By configuring the security group restriction, only the specified IP can access the 9999 port of the actuator.
The author also stated that subsequent iterations will enable the authentication component by default, while focusing on improving security.
According to the author's analysis of "vulnerabilities", the core of the problem is the GLUE mode. XXL-JOB supports multi-language and script tasks through the "GLUE mode". The features of this mode are as follows:
-
Multi-language support: support Java, Shell, Python, NodeJS, PHP, PowerShell... and other types.
-
Web IDE: Tasks are maintained in the dispatch center in source code, and online development and maintenance are supported through Web IDE.
-
Dynamically effective: The task code developed by the user online through the Web IDE is remotely pushed to the executor and loaded and executed in real time.
As shown in the figure above, if the attack code is written in the GLUE mode task code and pushed to the executor for execution, a remote attack can be caused. (question)
Since the official version of XXL-JOB has its own authentication component, it can ensure the communication security of the bottom of the system after it is turned on. The XXL-JOB author stated that under normal circumstances, the communication between the dispatch center and the actuator is safe, and there is no remote command vulnerability. However, if the actuator does not open the access token, it will fail to recognize and intercept illegal dispatch requests. The malicious requester can use the GLUE mode to push malicious attack codes to achieve remote attacks. As shown below:
Therefore, the author of XXL-JOB believes that this issue is not a "vulnerability" in nature, and the official website version provides an authentication component, which can be protected by opening it.
Part of the notice of XXL-JOB remote command execution vulnerability:
Manuscript source:
https://mp.weixin.qq.com/s/jzXIVrEl0vbjZxI4xlUm-g