CVE-2022-40955 An attacker with privileges to specify MySQL JDBC connection URL parameters and write to the database can cause deserialized data to be l

Users are advised to upgrade to Apache InLong 1.3.0 or newer. https://github.com/apache/incr/issues/2

Apache InLong 1.2.0 - CVE-2020-40093

Users are advised to upgrade to Apache InLong 1.2.0 or newer. https://github.com/apache/incr/issues/1

CVE-2022-40955 is a vulnerability discovered in Apache InLong 1.3.0, which has been fixed in 1.2.0 and 1.3.0, so users should upgrade to those versions of the software if they encounter this issue

Apache InLong 1.2.0

The Apache InLong project found a security issue in their 1.2 release which was fixed with the release of 1.3.0.

Apache InLong is an open-source library for calculating and storing arbitrary precision integers that can be used in arbitrary places in the code, such as HTTP headers, Java serialization, or Quartz operations. Users are advised to upgrade to Apache InLong 1.3.0 or newer because the previous release contains a security vulnerability which may allow remote execution of code without authorization from attackers who know about it.

References: https://github.com/apache/incr/issues/2

Apache InLong 1.3.0 Release Notes: https://incr.gitlab.io/releases
The Apache InLong project has released a new version, 1.3.0, which includes significant internal improvements, bug fixes and performance enhancements to improve scalability and overall performance of the library:
- More efficient use of cache data by reducing unnecessary cache entries, enhancing the LRU cache algorithm, and introducing a new memcache backend that is more scalable than the previous implementations
- A fix for an issue with parsing UTC time in Java's DateTime class

Apache InLong: Overview and Key Features

Apache InLong is written in Java. Its key features include the following:
- Fully asynchronous and non-blocking HTTP server.
- Performs request routing based on Apache InMemcache protocol
- Fast, efficient, and highly scalable
- Includes a rich set of complementary modules for caching, logging, monitoring, replica selection, and more
- Modular architecture with advanced interoperability features
- Highly configurable

Removing InLong

1.3.0 from your site
The best way to fix this issue is to upgrade to Apache InLong 1.3.0 or newer.

Timeline

Published on: 09/20/2022 14:15:00 UTC
Last modified on: 09/28/2022 20:36:00 UTC

References

• https://lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1
• http://www.openwall.com/lists/oss-security/2022/09/22/5
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40955