【 使用环境 】生产环境
【 OB or 其他组件 】observer
【 使用版本 】v4.2.1
【问题描述】针对扫描出MySQL server存在版本安全漏洞的问题,该如何解决
【复现路径】
【附件及日志】
这些漏洞有具体说明吗?不清楚具体指的是什么
论坛里有人问过。再贴一次
跟领导 解释一下即可。
关于MySQL的漏洞,是由于 OB 为了兼容外部工具所以借用了 MySQL 版本号,OB 为纯自研产品,未使用任何MySQL相关代码,所以不存在MySQL相关漏洞,具体对外说明可参考官网声明。
1 个赞
领导不认可这个,能有什么方法不被扫描出来这些漏洞,修改了global version 还是不行
可以说明下是具体那些漏洞嘛
你好,虽然这漏洞扫出来是误报,但有些客户不认可,能不能修改版本号到8.0之类的以免误报?或者既然Oceanbase已经兼容mysql 8.0协议,能否将这个兼容协议版本改高?
看看监管扫描数据库取版本号的原理是什么。
将 obproxy 的 mysql_version 参数改为 8.0 对应的版本号 ,将漏洞扫描 OB 的连接方法引导到通过 obproxy 去连接 OB 租户。
[root@server065 mq]# obclient -h10.0.0.65 -uroot@sys#obdemo -P2883 -paaAA11__ -c -A test
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 530357 Server version: OceanBase 4.3.3.0 (r100000412024101200-0701a8319ff6499651ba0f95520709081c751b20) (Built Oct 12 2024 01:29:48)
Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(root@10.0.0.65:2883) [test]> show proxyconfig like '%version%';
+------------------------------+----------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+ | name | value | info | need_reboot | visible_level | range | config_level |
+------------------------------+----------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+ | client_session_id_version | 2 | client session id version | false | SYS | [1,2] | LEVEL_GLOBAL |
| mysql_version | 5.6.25 | returned version for mysql mode, default value is 5.6.25. If set, proxy will send new version when user connect to proxy | false | USER | | LEVEL_VIP | | local_vip_tenant_version | 0 | local vip tenant version | false | MEMORY | [0,] | LEVEL_GLOBAL |
| current_local_config_version | 0 | local config version for current app | false | SYS | [0,] | LEVEL_GLOBAL |
| json_config_version | 5e0bad8c9b9d5098d3134aac83e5056a | json config info version | false | virtual | NULL | NULL |
+------------------------------+----------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
5 rows in set (0.002 sec)
(root@10.0.0.65:2883) [test]> alter proxyconfig set mysql_version='5.07.28';
Query OK, 0 rows affected (0.014 sec)
(root@10.0.0.65:2883) [test]> show proxyconfig like '%mysql_version%';
+---------------+---------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
| name | value | info | need_reboot | visible_level | range | config_level |
+---------------+---------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
| mysql_version | 5.07.28 | returned version for mysql mode, default value is 5.6.25. If set, proxy will send new version when user connect to proxy | false | USER | | LEVEL_VIP |
+---------------+---------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
1 row in set (0.003 sec)
(root@10.0.0.65:2883) [test]>
(root@10.0.0.65:2883) [test]> alter proxyconfig set mysql_version='8.0.41';
(root@10.0.0.65:2883) [test]> show proxyconfig like '%mysql_version%';
+---------------+--------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
| name | value | info | need_reboot | visible_level | range | config_level |
+---------------+--------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
| mysql_version | 8.0.41 | returned version for mysql mode, default value is 5.6.25. If set, proxy will send new version when user connect to proxy | false | USER | | LEVEL_VIP |
+---------------+--------+--------------------------------------------------------------------------------------------------------------------------+-------------+---------------+-------+--------------+
1 row in set (0.003 sec)
感谢!按这个方法改掉obproxy2883的mysql版本号就没问题了。然后防火墙禁用2881就行了。
1 个赞