CVE-2023-46227: Apache InLong Arbitrary File Read Vulnerability
Apache InLong is a popular data integration framework that is used by many organizations to process large amounts of data. Recently, a security vulnerability was discovered in Apache InLong that could allow attackers to read arbitrary files on the target system. This vulnerability is known as CVE-2023-46227 and it has a severity rating of important.
The spotlight falls on the “Deserialization of Untrusted Data Vulnerability” within Apache Software Foundation’s Apache InLong. This flaw allows attackers to exploit a bypass using the “\t” character, potentially granting them unwarranted access.
Deserialization is the process of converting serialized data back into its original format. If serialized data is not properly validated, it can be possible for an attacker to inject malicious code into the deserialized data. This code can then be executed when the deserialized data is used.
In the case of CVE-2023-46227, an attacker can inject malicious code into a serialized data object and then send that object to an Apache InLong server. When the server deserializes the object, the malicious code will be executed. This code could then be used to read arbitrary files on the target system.
This vulnerability is particularly dangerous because it can be exploited remotely. An attacker does not need to have local access to the target system in order to exploit this vulnerability. This makes it easier for attackers to exploit this vulnerability and it also makes it more difficult to defend against.
The version range affected by this vulnerability spans from 1.4.0 to 1.8.0. Credit for unearthing this potential ticking time bomb goes to security researchers Zhiwei and S3gundo.
While the vulnerability has been identified, the onus is now on you to fortify your systems. The immediate recourse is straightforward: upgrade to Apache InLong’s 1.9.0. This version contains the necessary patches to neutralize the threat. Alternatively, for those who wish to retain their current version, a cherry-pick solution has been made available.
