|
Message-ID: <39ef6d48.47ba.17e2f3dce2f.Coremail.xxyu@apache.org> Date: Thu, 6 Jan 2022 19:54:46 +0800 (CST) From: "Xiaoxiang Yu" <xxyu@...che.org> To: oss-security@...ts.openwall.com Cc: pwntester@...hub.com Subject: CVE-2021-45458: Apache Kylin: Hardcoded credentials Severity: moderate Description: Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. Mitigation: Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782. Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781. After upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt. Credit: Alvaro Munoz -- Best wishes to you ! From :Xiaoxiang Yu
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.