Security Vulnerabilities in Apache Linkis Expose Systems to Arbitrary File Reading and RCE

Apache Linkis, a popular computation middleware used to connect applications with data engines, has released security patches to address three vulnerabilities in its DataSource module. These vulnerabilities, identified as CVE-2023-41916, CVE-2023-46801, and CVE-2023-49566, could allow attackers to read arbitrary files, execute remote code, and perform JNDI injection attacks, respectively.

Vulnerability Breakdown

• CVE-2023-41916 (Important): This vulnerability enables arbitrary file reading due to inadequate parameter filtering in the DataSourceManager module. Attackers could exploit this flaw by configuring malicious MySQL JDBC parameters.
• CVE-2023-46801 (Moderate): A remote code execution vulnerability exists in the data source management module when adding MySQL data sources. Specifically, Java versions older than 1.8.0_241 are susceptible to deserialization attacks via JRMP, allowing attackers to inject and execute malicious files on the server.
• CVE-2023-49566 (Important): Improper parameter filtering also leads to a JNDI injection vulnerability when configuring DB2 parameters in the DataSource Manager module.

Urgency of Mitigation

While all three vulnerabilities require attackers to have an authorized Linkis account, the potential for unauthorized access to sensitive files, remote code execution, and JNDI injection poses significant risks to data integrity and system security.

The Apache Linkis project strongly recommends all users upgrade to version 1.6.0 immediately. This updated version includes patches that rectify these vulnerabilities, mitigating the associated risks.