====================================================================

                                 CERT-Renater

                     Note d'Information No. 2024/VULN383
_____________________________________________________________________

DATE                : 25/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Linkis versions 
            prior to 0.1.6.0.

=====================================================================
https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw
_____________________________________________________________________

CVE-2024-39928: Apache Linkis Spark EngineConn: Commons Lang's
RandomStringUtils Random string security vulnerability


Severity: moderate

Affected versions:

- Apache Linkis Spark EngineConn 1.3.0 before 1.6.0

Description:

In Apache Linkis <= 1.5.0, a Random string security vulnerability in
Spark EngineConn, random string generated by the Token when starting
Py4j uses the Commons Lang's RandomStringUtils.


Users are recommended to upgrade to version 1.6.0, which fixes this
issue.


Credit:

Hen (reporter)
Pj fanning  (reporter)


References:

https://linkis.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-39928

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================