canal默认admin.passwd风险说明及解决方案 #4941

agapple · 2023-11-08T02:10:27Z

近期canal社区收到关于canal admin鉴权功能通过adminPassword默认值进行撞击，绕过身份验证安全漏洞的问题。

考虑默认的安全风险，计划v1.1.8版本做如下变更：

canal admin针对与canal-server通讯时，使用application.yml中配置的canal.adminPassword
canal-server使用canal.properties中配置canal.passwd和canal.admin.passwd，分别控制client链接server、以及server链接admin之间的权限控制

新版本移除自带的password默认值，并在password未传入或非法时阻止节点启动来提醒用户设置自定义password

e345 · 2023-11-08T02:37:11Z

鼎力支持，加强系统安全。1.1.8希望能兼容8.0.33的binlog，大佬帮忙看看，单独发了issues：#4940

agapple · 2023-11-08T05:39:30Z

agapple · 2023-12-22T02:14:01Z

修复ClientAuthenticationHandler在auth认证失败时未及时终止后续packet包的处理流程，导致有越权访问binlog数据的风险

agapple added a commit that referenced this issue Nov 8, 2023

fixed issue #4941 , remove default passwd

98677c5

agapple closed this as completed Nov 8, 2023

agapple added this to the v1.1.8 milestone Nov 8, 2023

agapple added a commit that referenced this issue Dec 22, 2023

fixed security bugfix #4941 , process auth failed

17b36fa

agapple added a commit that referenced this issue Dec 29, 2023

fixed security bugfix #4941 , process auth failed

67e0928

zoemak pushed a commit to zoemak/canal that referenced this issue Jan 30, 2024

fixed issue alibaba#4941 , remove default passwd

546feb3

zoemak pushed a commit to zoemak/canal that referenced this issue Jan 30, 2024

fixed security bugfix alibaba#4941 , process auth failed

8ee3e09

Provide feedback