Dataease Impala Data Source Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Impala data source of Dataease versions through 2.10.12. The issue arises from inadequate filtering in the 'getJdbc' method of the 'io.dataease.datasource.type.Impala' class, allowing attackers to inject malicious JDBC connection strings. This exploitation takes advantage of JNDI injection, leading to RMI deserialization and remote command execution. The vulnerability can be reproduced by editing the data source to include a crafted JDBC connection string that references a remote configuration file, which triggers the RMI-based deserialization attack.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Dataease is running.

Reproduction

To reproduce this vulnerability, first upload a malicious JAR file containing a Spring deserialization payload to a server accessible by the Dataease instance. Then, start a local RMI server to listen for incoming connections. After that, create a new data source in Dataease and select the Apache Impala database. Choose the JDBC connection method and enter a connection string that includes a reference to the remote JNDI resource pointing to the uploaded JAR file. Once the data source is saved, the RMI server will receive the deserialization request, leading to the execution of the injected payload.

Remediation

Users are advised to upgrade to Dataease version 2.10.13, where this vulnerability has been patched.