CVE-2020-1937 Apache Kylin SQL injection vulnerability

Severity

Important

Vendor

The Apache Software Foundation

Versions Affected

Kylin 2.3.0 to 2.3.2

Kylin 2.4.0 to 2.4.1

Kylin 2.5.0 to 2.5.2

Kylin 2.6.0 to 2.6.4

Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0

Description

Kylin has some restful apis which will concat sqls with the user input string, a user is likely to be able to run malicious database queries.

Mitigation

Users should upgrade to 3.0.1 or 2.6.5

Credit

This issue was discovered by Jonathan Leitschuh

CVE-2020-1956 Apache Kylin command injection vulnerability

Severity

Important

Vendor

The Apache Software Foundation

Versions Affected

Kylin 2.3.0 to 2.3.2

Kylin 2.4.0 to 2.4.1

Kylin 2.5.0 to 2.5.2

Kylin 2.6.0 to 2.6.5

Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin 3.0.1

Description

Kylin has some restful api which will concat os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

Mitigation

Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabled to false to disable command execution.

Credit

This issue was discovered by Johannes Dahse

CVE-2021-27738 Improper Access Control to Streaming Coordinator & SSRF

Severity

Moderate

Versions Affected

Kylin 3.0.0-alpha to 3.1.2

Description

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.

For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.

Mitigation

Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646.

Credit

This issue was discovered by Wei Lin Ngo

CVE-2021-31522 Apache Kylin unsafe class loading

Severity

Moderate

Versions Affected

Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0

Description

Kylin can receive user input and load any class through Class.forName(…).

Mitigation

Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695.
Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763.

Credit

This issue was discovered by bo yu

CVE-2021-36774 Mysql JDBC Connector Deserialize RCE

Severity

Moderate

Versions Affected

Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2

Description

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes.

Mitigation

Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1694.

Credit

This issue was discovered by jinchen sheng

CVE-2021-45456 Command injection

Severity

Moderate

Versions Affected

Kylin 4.0.0

Description

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.

Mitigation

Users of Kylin 4.0.0 should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.

Credit

This issue was discovered by Alvaro Munoz

CVE-2021-45457 Overly broad CORS configuration

Severity

Moderate

Versions Affected

Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0

Description

Cross-origin requests with credentials are allowed to be sent from any origin.

Kylin reflects the Origin header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:
OPTIONS /kylin/api/projects HTTP/1.1 Host: localhost:7070 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US Accept-Encoding: gzip, deflate Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type Referer: http://b49b-95-62-58-48.ngrok.io/ Origin: http://b49b-95-62-58-48.ngrok.io Connection: keep-alive Cache-Control: max-age=0

Will be replied with:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io
Access-Control-Allow-Credentials: true
Vary: Origin
Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT
Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type
Content-Length: 0

Mitigation

Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.

Credit

This issue was discovered by Alvaro Munoz

CVE-2021-45458 Hardcoded credentials

Severity

Moderate

Versions Affected

Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0

Description

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin’s configuration file, there is a risk that the password may be decrypted.

Mitigation

Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.

Credit

This issue was discovered by Alvaro Munoz