Preface: Apache Linkis is a computation middleware that acts as a layer between upper-level applications and underlying engines, such as Apache Spark, Apache Hive and Apache Flink. It started as an Apache Incubator project in 2021 and graduated to a Top Level Project in January 2023.
Background: Linkis provides standardized interfaces (REST, JDBC, WebSocket etc.) to easily connect to various underlying engines (Spark, Presto, Flink, etc.), and acts as a proxy between the upper applications layer and underlying engines layer.
Ref: Py4J is a popularly library integrated within PySpark that lets python interface dynamically with JVM objects (RDD’s). Apache Spark comes with an interactive shell for python as it does for Scala. The shell for python is known as “PySpark”. To use PySpark you will have to have python installed on your machine.
Vulnerability details: In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang’s RandomStringUtils.
Remedy: Users are recommended to upgrade to version 1.6.0, which fixes this issue.
Official announcement: Please refer to the vendor announcement for details – https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw