Apache Linkis creates a compute middleware layer to unify task and engine governance and orchestration while enabling cross-engine context sharing. It also provides standardized interfaces (REST, JDBC, WebSocket, etc.) to connect to multiple  engines like Spark, Presto, Flink, etc.

CVE-2022-3994

The JDBC EngineConn module has a flaw, which an attacker might use to deserialize and thereby get remote code execution.

A deserialization vulnerability exists in Apache Linkis =1.2.0 when combined with the MySQL Connector/J  when an advisory has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Consequently, it is necessary to blacklist the arguments in the jdbc url. Affected version includes Apache Linkis version prior to 1.3.0.

The vulnerability has been patched in the most recent version of Apache Linkis. Users are recommended to upgrade the JDBC EngineConn materials individually or install the unaffected version as soon as feasible,

RedEye: A great opensource cyber security Log Visualization tool for Red and Blue teams

How to easily spoof mac address automatically and be more anonymous

How to Use Advanced Network Intelligence Toolkit for Pentesting: badKarma

Tutorial for pentesting Android apps using the free ZANTI toolkit

5 best free API security testing tools. Protecting your cloud CI/CD Pipeline

How to find zero-day vulnerabilities with Fuzz Faster U Fool (ffuf): Detailed free fuzzing tool tutorial

How to do professional vulnerability assessment on your website for free using Juice Shop?

How to do local privilege escalation attacks on Windows to brute force the local administrator account?

Mike Stevens

Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.