Dataease is an open-source data visualization analysis tool widely used by data professionals in various industries. Unfortunately, versions of Dataease prior to 1.15.2 have a deserialization vulnerability that could expose your data and server to unauthorized access and malicious actions. This post will provide you with an in-depth analysis of the vulnerability (CVE-2022-39312), the affected code, and the necessary steps to protect your system.

The Vulnerability

In Dataease, the MySQL data source feature allows users to customize the JDBC (Java Database Connectivity) connection parameters and target MySQL servers for connection. However, there is a lack of proper filtering of these parameters in the MysqlConfiguration class located in backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java. This oversight leaves the door open for an attacker to potentially inject malicious parameters into a JDBC URL and ultimately gain unauthorized access to your server.

By exploiting this deserialization vulnerability, an attacker can execute system commands and gain server privileges, leading to severe consequences such as data theft, server compromise, and other types of cyber attacks.

The Affected Code

The following code snippet from the backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java file demonstrates the absence of parameter filtering in the MysqlConfiguration class:

public class MysqlConfiguration extends JdbcProvider {
  /* ... */
    public Connection getConnection(String url, String username, String password) throws ClassNotFoundException, SQLException {
        Class.forName("com.mysql.jdbc.Driver");
        return DriverManager.getConnection(url, username, password);
    }
  /* ... */
}

Trigger the MySQL JDBC deserialization vulnerability.

Once this deserialization vulnerability is triggered, an attacker can execute system commands and gain server privileges, potentially compromising your server and data.

1. The Dataease project on GitHub: https://github.com/dataease/dataease
2. CVE-2022-39312 National Vulnerability Database (NVD) Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-39312
3. Dataease Release Notes (including version 1.15.2 with the patch): https://github.com/dataease/dataease/releases/tag/v1.15.2

Solution & Patch

To address this vulnerability and protect your Dataease instance, it is critical to upgrade to Dataease version 1.15.2 or later. This version contains a patch that addresses the deserialization vulnerability by enhancing the filtering and validation of JDBC connection parameters. You can download the latest version of Dataease from their GitHub repository: https://github.com/dataease/dataease/releases

Conclusion

This deserialization vulnerability in Dataease (CVE-2022-39312) exposes your server and data to significant risks, including unauthorized access, data theft, and server compromise. Updating to Dataease version 1.15.2 or later is essential for securing your instance and protecting your data. Stay current with updates and follow best security practices to minimize the chances of exploitation and other cyber security incidents.

Remember: Regularly updating your software and staying informed about potential vulnerabilities are critical steps in maintaining a secure environment.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:24:00 UTC