DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
DataEase versions 2.10.20 and below contain a critical remote code execution vulnerability through unsafe Java deserialization in Quartz job scheduling. An authenticated attacker exploiting SQL injection can inject malicious serialized gadget chains into job data, achieving arbitrary command execution as root when scheduled jobs trigger. This vulnerability chains multiple weaknesses (CWE-502 deserialization, SQL injection, missing input validation) and is actively exploitable with public proof-of-concept code available.
IMMEDIATE ACTIONS:
1. Identify all DataEase instances in your environment (check ports 8080, 8081, custom ports) and document versions
2. Restrict network access to DataEase to authorized users only; implement network segmentation
3. Review Quartz job_details table for suspicious JOB_DATA entries (look for serialized Java objects, base64-encoded gadget chains)
4. Monitor application logs for deserialization errors, ClassNotFoundException, or unexpected job executions
5. Audit database access logs for SQL injection attempts targeting qrtz_job_details table
PATCHING GUIDANCE:
1. Upgrade immediately to DataEase 2.10.21 or later (patch available)
2. If upgrade not immediately possible, apply these compensating controls:
- Disable Quartz job scheduling if not required for operations
- Implement database-level access controls restricting writes to qrtz_* tables
- Apply input validation/WAF rules blocking SQL injection patterns in previewSql parameter
DETECTION RULES:
1. Monitor for SQL injection attempts: SELECT/UPDATE statements targeting qrtz_job_details with encoded payloads
2. Alert on deserialization exceptions in DataEase logs containing 'InvokerTransformer', 'CommonsCollections', 'ObjectInputStream'
3. Monitor process execution from DataEase container for unexpected child processes or shell commands
4. Track database modifications to qrtz_job_details outside normal application workflows
5. IDS/IPS signatures: Look for CommonsCollections6 gadget chain patterns in HTTP POST bodies to /api/preview endpoints
الإجراءات الفورية:
1. تحديد جميع مثيلات DataEase في بيئتك وتوثيق الإصدارات
2. تقييد الوصول الشبكي إلى DataEase للمستخدمين المصرح لهم فقط
3. مراجعة جدول job_details للبحث عن إدخالات JOB_DATA المريبة
4. مراقبة سجلات التطبيق لأخطاء فك التسلسل والتنفيذ غير المتوقع
5. تدقيق سجلات الوصول للبحث عن محاولات حقن SQL
إرشادات التصحيح:
1. الترقية الفورية إلى DataEase 2.10.21 أو أحدث
2. إذا لم تكن الترقية ممكنة فوراً، طبق هذه الضوابط البديلة:
- تعطيل جدولة Quartz إذا لم تكن مطلوبة
- تطبيق التحكم في الوصول على مستوى قاعدة البيانات
- تطبيق قواعد التحقق من صحة الإدخال لمنع حقن SQL
قواعد الكشف:
1. مراقبة محاولات حقن SQL في جداول qrtz_job_details
2. تنبيهات على استثناءات فك التسلسل تحتوي على 'InvokerTransformer' أو 'CommonsCollections'
3. مراقبة تنفيذ العمليات غير المتوقعة من حاوية DataEase
4. تتبع التعديلات على قاعدة البيانات خارج سير العمل العادي