CVE-2024-1597 - vulnerable Postgre DB client postgresql-42.4.1.jar in Skywalking 9.7

[lloquens]

Hello,

we are using Apache Skywalking 9.7 with PostgreDB as a datastore. This week was published the security issue CVE-2024-1597 (base score 10 - critical) in Postgre JDBC client.
Apache Skywalking APM 9.7 contains vulnerable DB client version 42.4.1 (apache-skywalking-apm-bin/oap-libs/postgresql-42.4.1.jar).

Could you please update Postgre JDBC driver in future version of Skywalking?

I tried update the Postgre driver on our environments, but I found following behavior:

1. I unpackaged the apache-skywalking-apm-9.7.0.tar.gz and set the Postgre DB datastore.
2. I removed old library apache-skywalking-apm-bin/oap-libs/postgresql-42.4.1.jar and copied the new library to apache-skywalking-apm-bin/oap-libs/postgresql-42.7.2.jar
3. I started the Skywalking OAP and I received following exception (OAP process down):

2024-02-23 13:59:33,376 - org.apache.skywalking.oap.server.starter.OAPServerBootstrap - 64 [main] ERROR [] - Failed to get driver instance for jdbcUrl=jdbc:postgresql:// xxxxxxxxxxxxxxxxxxxxxxxx/skywalking?targetServerType=primary&sslmode=require
java.lang.RuntimeException: Failed to get driver instance for jdbcUrl=jdbc:postgresql://xxxxxxxxxxxxxxxxxxxxxxxx/skywalking?targetServerType=primary&sslmode=require
        at com.zaxxer.hikari.util.DriverDataSource.<init>(DriverDataSource.java:110) ~[HikariCP-3.1.0.jar:?]
        at com.zaxxer.hikari.pool.PoolBase.initializeDataSource(PoolBase.java:334) ~[HikariCP-3.1.0.jar:?]
        at com.zaxxer.hikari.pool.PoolBase.<init>(PoolBase.java:109) ~[HikariCP-3.1.0.jar:?]
        at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:108) ~[HikariCP-3.1.0.jar:?]
        at com.zaxxer.hikari.HikariDataSource.<init>(HikariDataSource.java:81) ~[HikariCP-3.1.0.jar:?]
        at org.apache.skywalking.oap.server.library.client.jdbc.hikaricp.JDBCClient.connect(JDBCClient.java:54) ~[library-client-9.7.0.jar:9.7.0]
        at org.apache.skywalking.oap.server.storage.plugin.jdbc.common.JDBCStorageProvider.start(JDBCStorageProvider.java:240) ~[storage-jdbc-hikaricp-plugin-9.7.0.jar:9.7.0]
        at org.apache.skywalking.oap.server.library.module.BootstrapFlow.start(BootstrapFlow.java:46) ~[library-module-9.7.0.jar:9.7.0]
        at org.apache.skywalking.oap.server.library.module.ModuleManager.init(ModuleManager.java:75) ~[library-module-9.7.0.jar:9.7.0]
        at org.apache.skywalking.oap.server.starter.OAPServerBootstrap.start(OAPServerBootstrap.java:52) [server-starter-9.7.0.jar:9.7.0]
        at org.apache.skywalking.oap.server.starter.OAPServerStartUp.main(OAPServerStartUp.java:23) [server-starter-9.7.0.jar:9.7.0]
Caused by: java.sql.SQLException: No suitable driver
        at java.sql.DriverManager.getDriver(DriverManager.java:299) ~[java.sql:?]
        at com.zaxxer.hikari.util.DriverDataSource.<init>(DriverDataSource.java:103) ~[HikariCP-3.1.0.jar:?]
        ... 10 more 

If I did first start of Skywalking with original library postgresql-42.4.1.jar and replace the library after first run with postgresql-42.4.1.jar, after restart Skywalking successfully connect to Postgre DB with new JDBC driver postgresql-42.7.2.jar:

at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:590) ~[postgresql-42.7.2.jar:42.7.2]

Could you please help me, how can I update the Postgre JDBC driver?

Thank you very much, best regard,

Ladislav

[wu-sheng]

No suitable driver usually means, your new jar is not included into the classpath.

[wu-sheng]

I bumped up the version to fix it, #11922. I didn't pick 42.7 as 42.4 has its own fix.

From https://nvd.nist.gov/vuln/detail/CVE-2024-1597, Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.. 42.4.4 should be safe.

[lloquens]

Thank you very much for Postgre driver update #11922. I’ll wait for new official release of Skywalking.

I tried replace the oap-libs/postgresql-42.4.1.jar by oap-libs/postgresql-42.4.4.jar in Skywalking 9.7 and the behavior is the same - needs first run with old library postgresql-42.4.1.jar and after that can be Postgre driver updated. It is usable workaround for me until the official release of Skywalking. Thank you!

[mr-vardhan24]

hi @lloquens
I also want to set the skywalking in my Kubernetes cluster with the backend database timescale (Postgres)
please help me with this how can I set up this? and what are the steps you have followed and have you followed the helm, please help me with that as well.

[lloquens]

Hello mr-vardhan24,
I do not use Skywlking on container platform, we are using on-premise infrastructure.
Configuration Skywalking for Postgre DB is easy:

1. Prepare “empty” database schema and DB user with required rights.
2. Change following parameters in /config/application.yml

storage:
   selector: ${SW_STORAGE:postgresql}
...
  postgresql:
    properties:
       jdbcUrl: ${SW_JDBC_URL:"jdbc:postgresql://<your_JDBC_URL>"}
       dataSource.user: ${SW_DATA_SOURCE_USER:<DB_user>}
       dataSource.password: ${SW_DATA_SOURCE_PASSWORD:<DB_password>}

3. Restart Skywalking and check logs and database. Skywalking will automatically prepare DB objects in new database.
   I am sorry, I have no experience with Skywalking in containers (Kubernetes, Helm).
   Regards, Ladislav

[mr-vardhan24]

@lloquens thanks for the answer!
actually, in my helm chart, there is no file such as "/config/application.yml"
I have entered the Postgres database details in the values.yaml so that it can connect to my existing Postgres database.

how can i configure it now please help.

[wu-sheng]

actually, in my helm chart, there is no file such as "/config/application.yml"

This file is in the OAP document image not a helm configuration. All configuration names are exposed by this yaml file, and available in the document

• Explanation of the YAML file, https://skywalking.apache.org/docs/main/latest/en/setup/backend/backend-setup/#applicationyml
• Booting parameters in logs, https://skywalking.apache.org/docs/main/latest/en/setup/backend/backend-setup/#key-parameters-in-the-booting-logs
• All configurations, https://skywalking.apache.org/docs/main/latest/en/setup/backend/configuration-vocabulary/

I think I mentioned this to you, and you didn't read the document from the beginning. SW_JDBC_URL in jdbcUrl: ${SW_JDBC_URL:"jdbc:postgresql://<your_JDBC_URL>"} represents this variable name is provided for you to use in the system environment variable.

[mr-vardhan24]

Hi @lloquens
Can you please help me to set up the skywlking on-premise infrastructure.
mean what document you have followed and what steps you have followed.

[lloquens]

Hi, use following documents:
https://skywalking.apache.org/docs/main/latest/en/setup/backend/backend-storage/
https://skywalking.apache.org/docs/main/latest/en/setup/backend/storages/postgresql/

[mr-vardhan24]

thanks!
is there any document you have followed for the skywalking setup in Linux (standalone server)?

[lloquens]

1. install Java - download and "un-tar" Java (8 and newer), for example https://adoptium.net/temurin/releases/) + export PATH to your java
2. Skywalking

• download Skywalking and "un-tar"
• try start Skywalking with deafult configuration - start: bin/oapService.sh & ; bin/webappService.sh &
• Skywalking web app: http://ip_address:8080/

3. PostgreDB

• prepare Postgre DB - DBuser + DBpass
• change Skywalking configuration (form example DB) - /config/application.yml
• restart Skywalking

For example, I found following manual: https://computingforgeeks.com/install-apache-skywalking-apm-tool-on-linux/?utm_content=cmp-true