- All versions starting from 2.0.0 up to 2.3.2, all versions starting from 2.4.0 up to 2.4.1, all versions starting from 2.5.0 up to 2.5.2, all versions starting from 2.6.0 up to 2.6.6, all versions starting from 3.0.0 up to 3.0.2, version 3.1.0
Description of the vulnerability
There is an unauthenticated configuration disclosure via
/kylin/api/admin/config GET API Endpoint.
getConfig() method of
/kylin/api/admin/config endpoint did not include any security checks, which allowed an unauthenticated user to disclose all Kylin configuration settngs, which includes sensitive information such as LDAP and JDBC credentials.
- Follow the steps at https://kylin.apache.org/docs/install/kylin_docker.html to get Kylin up and running
- Execute the following command:
- Notice that the JSON response returned contains all configured settings in
/home/admin/apache-kylin-3.1.0-bin-hbase1x/conf/kylin.propertiesin Docker container)
Note: This vulnerability can be exploited regardless of whether
kylin.security.profile is being set to
testing (default for Docker image),
Root Cause Analysis:
In /server-base/src/main/java/org/apache/kylin/rest/controller/AdminController.java, the
getConfig() method which handles the
/kylin/api/admin/config GET API endpoint does not ensure that the user is an admin.
This vulnerability has existed since the inception of the project. In an October 2014 commit, there is an admin check for the endpoint which had been commented out. Fast-forwarding to commit e3fe6b7 made in April 2017, it appears that Kylin developers were aware that not performing the necessary admin check when obtaining the configuration properties is indeed a critical security vulnerability, and had tracked this issue as KYLIN-1664 internally.
In commit 4629d84 made in December 2017, Kylin developers attempted to mitigate the vulnerability by introducing a new
/kylin/api/admin/public_config endpoint that discloses only whitelisted configuration properties. In addition,
/config PUT endpoint was also updated to include an admin check to prevent unauthenticated users from modifying the Kylin configuration.
Code refactoring was also performed in the above commit, removing the admin check (which was commented out) for
/kylin/api/admin/config GET endpoint from the codebase without actually including an admin check for the endpoint or for fetching the configuration details.
This incomplete fix was unfortunately thought to have resolved the security vulnerability successfully. In the changelogs of Kylin 2.3.0, the above changes were indicated as
[KYLIN-1664] - Harden security check for '/kylin/api/admin/config' API.
Below are some recommendations on how this security vulnerability can be remediated.
- Update access control checks defined in
<scr:intercept-url pattern="/api/admin/config" access="permitAll"/>on line 256 (for
ldapsecurity profilse) and line 308 (for
samlsecurity profile) to
<scr:intercept-url pattern="/api/admin/config" access="hasRole('ROLE_ADMIN')"/>.
- 2020-07-17 Reported to Vendor
- 2020-07-18 Vendor acknowledged
- 2020-10-19 Vendor patched the vulnerability