Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 26 Oct 2022 16:25:26 +0800
From: peacewong <>
Subject: CVE-2022-39944: The Apache Linkis JDBC EngineConn module has a RCE Vulnerability

Severity: important


In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a
deserialization vulnerability with possible remote code execution
impact exists when an attacker has write access to a database and
configures a JDBC EC with a MySQL data source and malicious
parameters. Therefore, the parameters in the jdbc url should be
blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We
recommend users to update to 1.3.0.


 <= 1.2.0 users should upgrade to 1.3.0.
Or upgrade the materials of JDBC EngineConn separately, you can refer


This issue was discovered by 4ra1n and zac from ZAC Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.