CVE-2023-51784 & 51785: Two Critical Security Flaws in Apache InLong

CVE-2023-51784 & CVE-2023-51785

Apache InLong emerges as a pioneering framework, adept at harnessing the torrent of information flowing through the veins of modern enterprises. Designed as a one-stop solution, Apache InLong skillfully manages massive data integration, offering capabilities ranging from Data Ingestion and Synchronization to Subscription. It stands out by supporting both batch and stream data processing, a feature indispensable for building sophisticated data analysis and real-time applications. Recently, multiple vulnerabilities were found in Apache InLong.

CVE-2023-51784 & CVE-2023-51785

CVE-2023-51784: Remote Code Execution vulnerability in Apache InLong Manager

Tagged with an ‘important‘ severity rating, CVE-2023-51784 is a Remote Code Execution (RCE) vulnerability in Apache InLong Manager. Stemming from an ‘Improper Control of Generation of Code’ (Code Injection), this flaw haunted versions 1.5.0 to 1.9.0. The vulnerability allowed attackers to execute arbitrary code remotely, posing a significant risk to the integrity and security of data managed by InLong. Users are strongly advised to upgrade to Apache InLong 1.10.0 or implement a cherry-pick solution to mitigate this threat.

CVE-2023-51785: Arbitrary File Read Vulnerability in Apache InLong Manager

Parallel in importance, CVE-2023-51785 unveils an Arbitrary File Read Vulnerability in Apache InLong Manager. This vulnerability, resulting from the Deserialization of Untrusted Data, affected versions from 1.7.0 through 1.9.0. In this scenario, attackers could exploit the MySQL driver to perform arbitrary file-read attacks, potentially gaining unauthorized access to sensitive data. Upgrading to Apache InLong’s version 1.10.0 or cherry-picking the specific fix is the recommended course of action.

Upgrade Now

The good news is that both these vulnerabilities have been patched in the latest InLong 1.10.0 release. So, the first line of defense is simple: upgrade! If immediate patching isn’t an option, you can also apply a cherry-pick fix to your specific InLong version.