Deserialization attack in Apache InLong prior to version 1.3.0 allows RCE via JDBC

CVE-2022-40955 is a deserialization vulnerability in Apache InLong prior to version 1.3.0 [1][3]. The root cause lies in the insufficient validation of MySQL JDBC connection URL parameters. An attacker with privileges to specify these parameters and write arbitrary data to the MySQL database can cause InLong to deserialize that data, leading to remote code execution (RCE) on the InLong server. The issue was discovered by 4ra1n of Chaitin Tech [3].

Exploitation

To exploit this vulnerability, an attacker must have sufficient privileges to control the MySQL JDBC connection URL used by InLong and also be able to write crafted data to a MySQL database that InLong connects to [1][3]. The malicious data, when deserialized by InLong, triggers the execution of arbitrary code. This attack vector requires prior access or authorization to manipulate the database configuration, but does not require direct network access to the InLong server beyond normal administrative interfaces.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the Apache InLong server with the privileges of the InLong process [1][3]. This can lead to full compromise of the server, enabling data exfiltration, lateral movement, or further attacks against connected systems. The vulnerability is rated as 'important' severity [3].

Mitigation

The vulnerability affects all Apache InLong versions before 1.3.0. Users are advised to upgrade to Apache InLong version 1.3.0 or newer, which contains the fix [1][3]. No workarounds are mentioned in the advisories. The CVE is disclosed and published, so immediate patching is recommended.