cnvd - cnvd-2022-02491

CNVD-2022-02491

Vulnerability from cnvd - Published: 2022-01-11

Title

Apache Kylin存在未明漏洞（CNVD-2022-02491）

Description

Apache Kylin是美国阿帕奇（Apache）基金会的一款开源的分布式分析型数据仓库。该产品主要提供Hadoop/Spark之上的SQL查询接口及多维分析（OLAP）等功能。 Apache kylin 存在安全漏洞，该漏洞源于用户使用PasswordPlaceholderConfigurer类对自己的密码进行加密并将其配置到kylin的配置文件中，则存在密码被解密的风险。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Apache Kylin存在未明漏洞（CNVD-2022-02491）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy

Reference

https://www.cybersecurity-help.cz/vdb/SB2022010627

Impacted products

Name
['Apache Kylin 2.0.0', 'Apache Kylin 2.1.0', 'Apache Kylin 2.2.0', 'Apache Kylin 2.3.0', 'Apache Kylin 2.3.1', 'Apache Kylin 2.3.2', 'Apache Kylin 2.4.0', 'Apache Kylin 2.4.1', 'Apache Kylin 2.5.0', 'Apache Kylin 2.5.1', 'Apache Kylin 2.5.2', 'Apache Kylin 2.6.1', 'Apache Kylin 2.6.2', 'Apache Kylin 2.6.3', 'Apache Kylin 2.6.4', 'Apache Kylin 2.6.5', 'Apache Kylin 2.6.6', 'Apache Kylin 3.0.0', 'Apache Kylin 3.0.1', 'Apache Kylin 3.0.2', 'Apache Kylin 2.6.0', 'Apache Kylin 3.1.0', 'Apache Kylin 3.1.1', 'Apache Kylin 3.1.2', 'Apache Kylin 4.0.0']

Name

['Apache Kylin 2.0.0', 'Apache Kylin 2.1.0', 'Apache Kylin 2.2.0', 'Apache Kylin 2.3.0', 'Apache Kylin 2.3.1', 'Apache Kylin 2.3.2', 'Apache Kylin 2.4.0', 'Apache Kylin 2.4.1', 'Apache Kylin 2.5.0', 'Apache Kylin 2.5.1', 'Apache Kylin 2.5.2', 'Apache Kylin 2.6.1', 'Apache Kylin 2.6.2', 'Apache Kylin 2.6.3', 'Apache Kylin 2.6.4', 'Apache Kylin 2.6.5', 'Apache Kylin 2.6.6', 'Apache Kylin 3.0.0', 'Apache Kylin 3.0.1', 'Apache Kylin 3.0.2', 'Apache Kylin 2.6.0', 'Apache Kylin 3.1.0', 'Apache Kylin 3.1.1', 'Apache Kylin 3.1.2', 'Apache Kylin 4.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-45458"
    }
  },
  "description": "Apache Kylin\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5206\u5e03\u5f0f\u5206\u6790\u578b\u6570\u636e\u4ed3\u5e93\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u63d0\u4f9bHadoop/Spark\u4e4b\u4e0a\u7684SQL\u67e5\u8be2\u63a5\u53e3\u53ca\u591a\u7ef4\u5206\u6790\uff08OLAP\uff09\u7b49\u529f\u80fd\u3002\n\nApache kylin \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7528\u6237\u4f7f\u7528PasswordPlaceholderConfigurer\u7c7b\u5bf9\u81ea\u5df1\u7684\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u5e76\u5c06\u5176\u914d\u7f6e\u5230kylin\u7684\u914d\u7f6e\u6587\u4ef6\u4e2d\uff0c\u5219\u5b58\u5728\u5bc6\u7801\u88ab\u89e3\u5bc6\u7684\u98ce\u9669\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-02491",
  "openTime": "2022-01-11",
  "patchDescription": "Apache Kylin\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5206\u5e03\u5f0f\u5206\u6790\u578b\u6570\u636e\u4ed3\u5e93\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u63d0\u4f9bHadoop/Spark\u4e4b\u4e0a\u7684SQL\u67e5\u8be2\u63a5\u53e3\u53ca\u591a\u7ef4\u5206\u6790\uff08OLAP\uff09\u7b49\u529f\u80fd\u3002\r\n\r\nApache kylin \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7528\u6237\u4f7f\u7528PasswordPlaceholderConfigurer\u7c7b\u5bf9\u81ea\u5df1\u7684\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u5e76\u5c06\u5176\u914d\u7f6e\u5230kylin\u7684\u914d\u7f6e\u6587\u4ef6\u4e2d\uff0c\u5219\u5b58\u5728\u5bc6\u7801\u88ab\u89e3\u5bc6\u7684\u98ce\u9669\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Kylin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-02491\uff09 \u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Kylin 2.0.0",
      "Apache Kylin 2.1.0",
      "Apache Kylin 2.2.0",
      "Apache Kylin 2.3.0",
      "Apache Kylin 2.3.1",
      "Apache Kylin 2.3.2",
      "Apache Kylin 2.4.0",
      "Apache Kylin 2.4.1",
      "Apache Kylin 2.5.0",
      "Apache Kylin 2.5.1",
      "Apache Kylin 2.5.2",
      "Apache Kylin 2.6.1",
      "Apache Kylin 2.6.2",
      "Apache Kylin 2.6.3",
      "Apache Kylin 2.6.4",
      "Apache Kylin 2.6.5",
      "Apache Kylin 2.6.6",
      "Apache Kylin 3.0.0",
      "Apache Kylin 3.0.1",
      "Apache Kylin 3.0.2",
      "Apache Kylin 2.6.0",
      "Apache Kylin 3.1.0",
      "Apache Kylin 3.1.1",
      "Apache Kylin 3.1.2",
      "Apache Kylin 4.0.0"
    ]
  },
  "referenceLink": "https://www.cybersecurity-help.cz/vdb/SB2022010627",
  "serverity": "\u4e2d",
  "submitTime": "2022-01-07",
  "title": "Apache Kylin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-02491\uff09"
}

CVE-2021-45458 (GCVE-0-2021-45458)

Vulnerability from cvelistv5 – Published: 2022-01-06 12:35 – Updated: 2024-08-04 04:39

Summary

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Severity ?

No CVSS data available.

CWE

CWE-798 - Use of Hard-coded Credentials

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/oof215qz188k16vhl…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/01/06/7	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2022/01/06/3	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kylin	Affected: Apache Kylin 2 , ≤ 2.6.6 (custom) Affected: Apache Kylin 3 , ≤ 3.1.2 (custom) Affected: Apache Kylin 4 , ≤ 4.0.0 (custom)

Credits

Alvaro Munoz <pwntester@github.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:21.117Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"
          },
          {
            "name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"
          },
          {
            "name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Kylin",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.6.6",
              "status": "affected",
              "version": "Apache Kylin 2",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.1.2",
              "status": "affected",
              "version": "Apache Kylin 3",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.0.0",
              "status": "affected",
              "version": "Apache Kylin 4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Alvaro Munoz \u003cpwntester@github.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin\u0027s configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-06T15:06:18",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"
        },
        {
          "name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"
        },
        {
          "name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Hardcoded credentials",
      "workarounds": [
        {
          "lang": "en",
          "value": "Users of Kylin 2.x \u0026 Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.\n\nAfter upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-45458",
          "STATE": "PUBLIC",
          "TITLE": "Hardcoded credentials"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Kylin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kylin 2",
                            "version_value": "2.6.6"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kylin 3",
                            "version_value": "3.1.2"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kylin 4",
                            "version_value": "4.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Alvaro Munoz \u003cpwntester@github.com\u003e"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin\u0027s configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-798 Use of Hard-coded Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"
            },
            {
              "name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"
            },
            {
              "name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Users of Kylin 2.x \u0026 Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.\n\nAfter upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-45458",
    "datePublished": "2022-01-06T12:35:24",
    "dateReserved": "2021-12-21T00:00:00",
    "dateUpdated": "2024-08-04T04:39:21.117Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-02491

CVE-2021-45458 (GCVE-0-2021-45458)

Tags

Sightings

Nomenclature