CVE-2022-39944: 
Java vulnerability analysis and mitigation

A deserialization vulnerability was discovered in Apache Linkis versions 1.2.0 and earlier when used with MySQL Connector/J. The vulnerability, tracked as CVE-2022-39944, was reported by security researchers 4ra1n and zac from ZAC Security Team. The flaw could potentially lead to remote code execution when an attacker has write access to a database and configures a JDBC EngineConn with a MySQL data source containing malicious parameters (SecurityOnline, NVD).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and received a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue specifically exists in the JDBC EngineConn module, where improper handling of JDBC URL parameters could lead to deserialization of untrusted data (NVD).

The vulnerability allows attackers with write access to the database to potentially execute arbitrary code remotely on the affected system through malicious JDBC parameters. This could lead to complete system compromise, affecting the confidentiality, integrity, and availability of the system (SecurityOnline).

Users are strongly advised to upgrade to Apache Linkis version 1.3.0 or later, which contains the fix for this vulnerability. Alternatively, users can upgrade the JDBC EngineConn components separately. The fix implements blacklisting of potentially dangerous parameters in the JDBC URL (SecurityOnline).