Rewterz Threat Advisory – Multiple Apache Linkis Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2022-44644 CVSS:6.5

Apache Linkis could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when used with the MySQL Connector/J. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary local file, and use this information to launch further attacks against the affected system.

CVE-2022-44645 CVSS:8.8

Apache Linkis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the DatasourceManager module. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Impact

• Code Execution
• Information Disclosure

Indicators Of Compromise

CVE

• CVE-2022-44644
• CVE-2022-44645

Affected Vendors

Apache

Affected Products

• Apache Linkis 1.3.0
• Apache Linkis 1.2.0

Remediation

Upgrade to the latest version of Apache Linkis, available from the Apache Web site.

Apache Web site