[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-29055: Apache Kylin: Insufficiently protected credentials in config file
From:       Li Yang <liyang () apache ! org>
Date:       2024-01-29 11:06:04
Message-ID: 4614723d-7b0e-2a49-5f7a-0b011744eb60 () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Kylin 2.0.0 through 4.0.3

Description:

In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays \
the content of file 'kylin.properties', that may contain serverside credentials. When the kylin \
service runs over HTTP (or other plain text protocol), it is possible for network sniffers to \
hijack the HTTP payload and get access to the content of kylin.properties and potentially the \
containing credentials.

To avoid this threat, users are recommended to  

  *  Always turn on HTTPS so that network payload is encrypted.

  *  Avoid putting credentials in kylin.properties, or at least not in plain text.
  *  Use network firewalls to protect the serverside such that it is not accessible to external \
attackers.

  *  Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes \
to the Server Config web interface.

Credit:

Li Jiakun <2839549219@qq.com> (reporter)

References:

https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-29055


[prev in list] [next in list] [prev in thread] [next in thread]