==================================================================== CERT-Renater Note d'Information No. 2020/VULN414 _____________________________________________________________________ DATE : 17/07/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Kylin versions prior to 3.1.0. ===================================================================== http://mail-archives.apache.org/mod_mbox/kylin-dev/202007.mbox/%3cCANfpUctK9ke_EpD96vcSsDE9R7c4uEUWxpM5U_LA=u5_-A49cQ@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/kylin-dev/202007.mbox/%3cCANfpUcvwj11jKrKF7A0B2LsLfp3NBWFWMcdzT_uoxxuLBnBhaA@mail.gmail.com%3e _____________________________________________________________________ [SECURITY][CVE-2020-13925] Apache Kylin command injection vulnerability Versions Affected: 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2 Description: Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Mitigation: Users of all previous versions after 2.3 should upgrade to 3.1.0. Credit: We would like to thank Clancey for reporting this issue. Best regards, Shaofeng Shi 史少锋 Apache Kylin PMC Email: shaofengshi () apache org Apache Kylin FAQ: https://kylin.apache.org/docs/gettingstarted/faq.html Join Kylin user mail group: user-subscribe () kylin apache org Join Kylin dev mail group: dev-subscribe () kylin apache org _____________________________________________________________________ [SECURITY][CVE-2020-13926] Apache Kylin SQL injection vulnerability Versions Affected: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2 Description: Kylin concatenates and executes some Hive SQL statements in Hive CLI or beeline when building new segments; some parts of the SQL are from system configurations, while the configuration can be overwritten by certain rest API, which makes SQL injection attack is possible. Mitigation: Users of all previous versions after 2.0 should upgrade to 3.1.0. Credit: We would like to thank Rupeng Wang from Kyligence for reporting and fix this issue. Best regards, Shaofeng Shi 史少锋 Apache Kylin PMC Email: shaofengshi () apache org Apache Kylin FAQ: https://kylin.apache.org/docs/gettingstarted/faq.html Join Kylin user mail group: user-subscribe () kylin apache org Join Kylin dev mail group: dev-subscribe () kylin apache org ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================