We use cookies to improve your experience on our site.
AVID-2026-R0821
Description
Mysql JDBC Connector Deserialize RCE (CVE-2021-36774)
Details
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
Reason for inclusion in AVID: CVE-2021-36774 describes a deserialization-based remote code execution via the MySQL JDBC connector when used within Apache Kylin. This is a software vulnerability in a data-processing component that can be part of AI data pipelines, representing a software supply-chain risk for general-purpose AI systems that rely on such components for data ingestion/processing. The issue is an actual security vulnerability (RCE) and there is sufficient textual signal in the report to classify it as such.
References
- NVD entry
- https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
- http://www.openwall.com/lists/oss-security/2022/01/06/5
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Kylin |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-01-06
- Version: 0.3.3
- AVID Entry