[jira] [Updated] (KYLIN-5994) JDBC remote code execution vulnerability

Mon, 17 Feb 2025 19:01:39 -0800 


     [ 
https://issues.apache.org/jira/browse/KYLIN-5994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Yinghao Lin updated KYLIN-5994:
-------------------------------
    Description: 
There is a vulnerability on adding jdbc data source with unchecked jdbc url 
which may cause kylin server connect to a malicious remote server and get 
unexpected result with code execution script invoked. (from Pho3n1x)

 

DBs and its' vulnerable url parameters are:

*derby*
 - startMaster
 - slaveHost

*mysql*
 - autoDeserialize
 - queryInterceptors
 - statementInterceptors
 - detectCustomCollations

*h2*
 - INIT=RUNSCRIPT

*ibm db2*
 - clientRerouteServerListJNDIName

*sqlite*
 - resource:xxx

*bad JDBC scheme*
 - jdbc:jcr:jndi
 - jdbc:mysql:fabric

  was:
>From Pho3n1x:

There is a vulnerability on adding jdbc data source with unchecked jdbc url 
which may cause kylin server connect to a malicious remote server and get 
unexpected result with code execution script invoked.

 

DBs and its' vulnerable url parameters are:

*derby*
- startMaster
- slaveHost

*mysql*
- autoDeserialize
- queryInterceptors
- statementInterceptors
- detectCustomCollations

*h2*
- INIT=RUNSCRIPT

*ibm db2*
- clientRerouteServerListJNDIName

*sqlite*
- resource:xxx

*bad JDBC scheme*
- jdbc:jcr:jndi
- jdbc:mysql:fabric


> JDBC remote code execution vulnerability
> ----------------------------------------
>
>                 Key: KYLIN-5994
>                 URL: https://issues.apache.org/jira/browse/KYLIN-5994
>             Project: Kylin
>          Issue Type: Bug
>          Components: RDBMS Source
>    Affects Versions: 5.0.0
>            Reporter: Yinghao Lin
>            Priority: Major
>             Fix For: 5.0.1
>
>
> There is a vulnerability on adding jdbc data source with unchecked jdbc url 
> which may cause kylin server connect to a malicious remote server and get 
> unexpected result with code execution script invoked. (from Pho3n1x)
>  
> DBs and its' vulnerable url parameters are:
> *derby*
>  - startMaster
>  - slaveHost
> *mysql*
>  - autoDeserialize
>  - queryInterceptors
>  - statementInterceptors
>  - detectCustomCollations
> *h2*
>  - INIT=RUNSCRIPT
> *ibm db2*
>  - clientRerouteServerListJNDIName
> *sqlite*
>  - resource:xxx
> *bad JDBC scheme*
>  - jdbc:jcr:jndi
>  - jdbc:mysql:fabric



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to