Apache Linkis (incubating): The DatasourceManager module has a serialization attack vulnerability

Vulnerability

Description

CVE-2022-44645 is a deserialization vulnerability in Apache Linkis versions <= 1.3.0 that manifests when the system is used with the MySQL Connector/J library. The root cause is that Linkis does not properly sanitize parameters in JDBC URLs when configuring a MySQL data source. An attacker with write access to a database can craft a malicious JDBC URL containing serialized objects that, upon deserialization by the MySQL Connector/J, can lead to arbitrary code execution [1][2].

Exploitation

Prerequisites and Attack Surface

Exploitation requires the attacker to have write access to a database that Linkis can connect to, and the ability to configure a new datasource within Linkis using a MySQL data source. The attacker then injects malicious parameters into the JDBC URL, exploiting the deserialization flaw. There is no mention of authentication being required beyond the database write access, but the attacker must be able to interact with Linkis to create or modify datasource configurations [2].

Impact

Successful exploitation results in remote code execution on the server running Linkis, under the privileges of the Linkis process. This could lead to full compromise of the Linkis instance and potentially lateral movement within the network, as the attacker could execute arbitrary commands, access sensitive data, or further pivot to other systems [1][2].

Mitigation

Users are strongly advised to upgrade to Apache Linkis version 1.3.1, which includes a blacklist of dangerous JDBC URL parameters to prevent deserialization attacks. No workaround is provided for earlier versions beyond upgrading, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the analysis date [2].