Oracle MySQL Server

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: Oracle MySQL Server

| username: TiDBer_VtkBZH6I

During the use of TiDB, a vulnerability scanning tool was used, and it indicated security issues. The details are as follows:




How should these vulnerabilities be addressed?

| username: Billmay表妹 | Original post link

This is not a vulnerability of TiDB, right?

| username: Billmay表妹 | Original post link

However, I can report this to the security department to see if this feedback will have any impact on TiDB.

| username: 啦啦啦啦啦 | Original post link

It actually has nothing to do with TiDB. Just change the MySQL version number of TiDB to bypass the scan.

| username: TiDBer_VtkBZH6I | Original post link

The underlying layer of TiDB is MySQL, right? So how do you bypass scanning? How do you modify the MySQL version?

| username: 啦啦啦啦啦 | Original post link

The underlying layer has nothing to do with MySQL, it just supports MySQL syntax. For version number modifications, refer to the link I posted above.

| username: TiDBer_VtkBZH6I | Original post link

It is related to TiDB. The security scanning software scanned the machine where TiDB is installed, and the port numbers also match.

| username: TiDBer_VtkBZH6I | Original post link

Modification unsuccessful.
line 83: key “server-version” already set in map

| username: 啦啦啦啦啦 | Original post link

The error seems to be a duplication. Check if the server-version configuration is written twice.

| username: TiDBer_VtkBZH6I | Original post link

There isn’t any in the configuration file, only one. Previously, the configuration file didn’t set this attribute, so it should be the default.

| username: 啦啦啦啦啦 | Original post link

Paste the content of line 83 and take a look.

| username: TiDBer_9lcG6OP4 | Original post link

Can changing the version number bypass the security scan?

| username: 春风十里 | Original post link

The compliance software treats this as MySQL. I think theoretically changing the version is feasible because TiDB is actually not MySQL; it’s their software that made the mistake.

| username: 啦啦啦啦啦 | Original post link

It can be bypassed. Actually, the principle of the scanning tool is very simple; it just uses the telnet port to check the returned version number.

| username: zhanggame1 | Original post link

Scanning software that doesn’t log into the database is useless; it can’t obtain the real version information of the database. To scan effectively, you need to log into the database first.

| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.