SB2022010627 - Multiple vulnerabilities in Apache Kylin
Published: January 6, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-27738)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in "StreamingCoordinatorController.java" when handling requests sent to "/kylin/api/streaming_coordinator/*" REST API endpoints. A remote non-authenticated attacker can send a specially crafted HTTP request and force the application to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-36774)
The vulnerability allows a remote user to compromise the affected application.
The vulnerability exists due to Apache Kylin allows users to read data from other database systems using JDBC. A remote user can execute arbitrary code from a controlled malicious MySQL server within Kylin server processes.
3) Input validation error (CVE-ID: CVE-2021-31522)
The vulnerability allows a remote user to compromise the affected application.
The vulnerability exists due to the application allows to load any class through Class.forName(...) call. A remote user can execute arbitrary code on the system.
4) Storing passwords in a recoverable format (CVE-ID: CVE-2021-45458)
The vulnerability allows a local user to decrypt passwords.
The vulnerability exists due to the way users' passwords are encrypted with the PasswordPlaceholderConfigurer class with hard-coded key and IV. A local user with ability to read Apache Kylin configuration file can obtain hard-coded key and IV and decrypt passwords of application users.
5) Origin validation error (CVE-ID: CVE-2021-45457)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insecure application configuration that allows cross-origin requests with credentials to be sent from any origin. A remote attacker can exploit this vulnerability to bypass browser protection mechanisms and perform XSS attacks against application users.
6) OS Command Injection (CVE-ID: CVE-2021-45456)
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exist due to improper input validation when processing project names. A remote user can pass a specially crafted project name that is later passed as the shell command argument in DiagnosisService and execute arbitrary OS commands on the system.Remediation
Install update from vendor's website.
References
- https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70
- http://www.openwall.com/lists/oss-security/2022/01/06/6
- https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
- http://www.openwall.com/lists/oss-security/2022/01/06/5
- https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
- http://www.openwall.com/lists/oss-security/2022/01/06/4
- https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy
- http://www.openwall.com/lists/oss-security/2022/01/06/3
- http://www.openwall.com/lists/oss-security/2022/01/06/7
- https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m
- http://www.openwall.com/lists/oss-security/2022/01/06/2
- https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf
- http://www.openwall.com/lists/oss-security/2022/01/06/1