Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 6 Jan 2022 19:54:46 +0800 (CST)
From: "Xiaoxiang Yu" <xxyu@...che.org>
To: oss-security@...ts.openwall.com
Cc: pwntester@...hub.com
Subject: CVE-2021-45458: Apache Kylin: Hardcoded credentials

Severity: moderate

Description:

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV.  If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.
This issue affects Apache Kylin Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Mitigation:

Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.

After upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt.

Credit:

Alvaro Munoz 

--

Best wishes to you ! 
From ´╝ÜXiaoxiang Yu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.