===================================================================== CERT-Renater Note d'Information No. 2022/VULN006 _____________________________________________________________________ DATE : 06/01/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Kylin ===================================================================== https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70 _____________________________________________________________________ CVE-2021-45456: Apache Kylin: Command injection Severity: moderate Description: Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0. Mitigation: Users of Kylin 4.0.0 should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781. Credit: Alvaro Munoz -- Best wishes to you ! From :Xiaoxiang Yu CVE-2021-36774: Apache Kylin: Mysql JDBC Connector Deserialize RCE Severity: moderate Description: Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions. Mitigation: Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1694. Credit: jinchen sheng -- Best wishes to you ! From :Xiaoxiang Yu CVE-2021-45457: Apache Kylin: Overly broad CORS configuration Severity: moderate Description: Cross-origin requests with credentials are allowed to be sent from any origin. Kylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request: ``` OPTIONS /kylin/api/projects HTTP/1.1 Host: localhost:7070 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US Accept-Encoding: gzip, deflate Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type Referer: http://b49b-95-62-58-48.ngrok.io/ Origin: http://b49b-95-62-58-48.ngrok.io Connection: keep-alive Cache-Control: max-age=0 ``` Will be replied with: ``` HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io Access-Control-Allow-Credentials: true Vary: Origin Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type Content-Length: 0 ``` This issue affects Apache Kylin Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. Mitigation: Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782. Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781. Credit: Alvaro Munoz From :Xiaoxiang Yu CVE-2021-31522: Apache Kylin unsafe class loading Severity: moderate Description: Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. Mitigation: Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695. Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763. Credit: bo yu-- Best wishes to you ! From :Xiaoxiang Yu CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF The Apache Geode community is pleased to announce the availability of Apache Geode 1.12.7, 1.13.6, and 1.14.2 Apache Geode is a data management platform that provides a database-like consistency model, reliable transaction processing and a shared-nothing architecture to maintain very low latency performance with high concurrency processing. Geode 1.12.7, 1.13.6, and 1.14.2 include a critical security update to Log4J v2.16.0. ALL users MUST upgrade as soon as possible. Release notes: https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.12.7 https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.13.6 https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.14.2 The release artifacts can be downloaded from the project website: https://geode.apache.org/releases/ The release documentation is available at: https://geode.apache.org/docs/guide/112/about_geode.html https://geode.apache.org/docs/guide/113/about_geode.html https://geode.apache.org/docs/guide/114/about_geode.html We would like to thank all the contributors that made these releases possible. Regards, Owen Nichols on behalf of the Apache Geode teamSeverity: moderate Description: All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2. Mitigation: Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646. Credit: Wei Lin Ngo -- Best wishes to you ! From :Xiaoxiang Yu ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================