Apache Linkis has released security updates to address three vulnerabilities in its DataSource module. These vulnerabilities, could allow attackers to read arbitrary files, execute remote code, and perform JNDI injection attacks.
The vulnerabilities are as follows:
The first vulnerability tracked as CVE-2023-41916 enables arbitrary file reading due to inadequate parameter filtering in the DataSourceManager module. Attackers could exploit this flaw by configuring malicious MySQL JDBC parameters.
The second vulnerability tracked as CVE-2023-46801 is a remote code execution vulnerability exists in the data source management module when adding MySQL data sources. Specifically, Java versions older than 1.8.0_241 are susceptible to deserialization attacks via JRMP, allowing attackers to inject and execute malicious files on the server.
The third vulnerability tracked as CVE-2023-49566 is an Improper parameter filtering also leads to a JNDI injection vulnerability when configuring DB2 parameters in the DataSource Manager module.
An attacker requires to have an authorized Linkis account, the potential for unauthorized access to sensitive files, remote code execution, and JNDI injection poses significant risks to data integrity and system security.
Its strongly recommends all users upgrade to version 1.6.0 immediately. This updated version includes patches that rectify these vulnerabilities, mitigating the associated risks.
