CVE-2020-13926
Severity
Important
Versions Affected
Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2
Description
Kylin concatenates and executes some Hive SQL statements in Hive CLI or beeline when building new segments; some parts of the SQL are from system configurations, while the configuration can be overwritten by certain rest API, which make SQL injection attack is possible.
Mitigation
Users of all previous versions after 2.0 should upgrade to 3.1.0.
Credit
We would like to thank Rupeng Wang from Kyligence for reporting and fix this issue.
CVE-2020-13925
Severity
Important
Versions Affected
Kylin 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2
Description
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers have the possibility to execute OS command remotely.
Mitigation
Users of all previous versions after 2.3 should upgrade to 3.1.0.
Credit
We would like to thank Clancey clanceyz@protonmail.com for reporting this issue.
CVE-2020-1937 Apache Kylin SQL injection vulnerability
Severity
Important
Versions Affected
Kylin 2.3.0 to 2.3.2, 2.4.0 to 2.4.1, 2.5.0 to 2.5.2, 2.6.0 to 2.6.4, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0
Description
Kylin has some restful apis which will concat sqls with the user input string, a user is likely to be able to run malicious database queries.
Mitigation
Users should upgrade to 3.0.1 or 2.6.5
Credit
This issue was discovered by Jonathan Leitschuh
CVE-2020-1956 Apache Kylin command injection vulnerability
Severity
Important
Versions Affected
Kylin 2.3.0 to 2.3.2, 2.4.0 to 2.4.1, 2.5.0 to 2.5.2, 2.6.0 to 2.6.5, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1
Description
Kylin has some restful api which will concat os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
Mitigation
Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabled to false to disable command execution.
Credit
This issue was discovered by Johannes Dahse