SB2023041024 - Multiple vulnerabilities in Apache Linkis

Security Bulletin ID SB2023041024

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2022-44644)

The vulnerability allows a remote user to read contents of arbitrary files.

The vulnerability exists due to the MySQL Connector/J in the data source module allows to read local files by adding the "allowLoadLocalInfile" to true in the JDBC parameter. A remote user can view contents of arbitrary files on the system.

2) Deserialization of Untrusted Data (CVE-ID: CVE-2022-44645)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in when used with the MySQL Connector/J. A remote user with write access to the database and ability to configure a MySQL data source and malicious parameters can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

SB2023041024 - Multiple vulnerabilities in Apache Linkis

Breakdown by Severity

Description

Remediation

References