====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN286
_____________________________________________________________________

DATE                : 20/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Kylin versions prior to
                                      3.0.2, 2.6.6.

=====================================================================
https://lists.apache.org/thread.html/rc574fef23740522f62ab3bbda4f6171be98aa7a25f3f54be143a80a8%40%3Cuser.kylin.apache.org%3E
_____________________________________________________________________

Severity: Important


Vendor:
The Apache Software Foundation

Versions Affected:
Kylin 2.3.0 to 2.3.2
Kylin 2.4.0 to 2.4.1
Kylin 2.5.0 to 2.5.2
Kylin 2.6.0 to 2.6.5
Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin
3.0.1


Description:
Kylin has some restful apis which will concatenate os command with the
user input string, a user is likely to be able to execute any os command
without any protection or validation.


Mitigation:
Users should upgrade to 3.0.2 or 2.6.6 or set
kylin.tool.auto-migrate-cube.enabled to false to disable command
execution.


Credit:
This issue was discovered by Johannes Dahse.


References:
https://kylin.apache.org/docs/security.html



Best regards,


Ni Chunen / George


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================