CVE-2021-45458 : Security Advisory and Response

Apache Kylin provides encryption classes with hardcoded credentials, potentially exposing passwords to decryption attacks.

Understanding CVE-2021-45458

What is CVE-2021-45458?

Apache Kylin versions 2.6.6 and prior, 3.1.2 and prior, and 4.0.0 and prior have a vulnerability due to hardcoded key and IV in the encryption algorithm, risking password decryption.

The Impact of CVE-2021-45458

Severity: Moderate
CWE ID: CWE-798 (Use of Hard-coded Credentials)
Risk: Password exposure and decryption

Technical Details of CVE-2021-45458

Vulnerability Description

The encryption classes in Apache Kylin initialize the cipher with hardcoded credentials, allowing potential decryption of passwords configured in Kylin's files.

Affected Systems and Versions

Apache Kylin 2 version 2.6.6 and earlier
Apache Kylin 3 version 3.1.2 and earlier
Apache Kylin 4 version 4.0.0 and earlier

Exploitation Mechanism

Attackers could exploit this vulnerability to decrypt passwords if they are encrypted using the vulnerable encryption classes.

Mitigation and Prevention

Immediate Steps to Take

Users of Kylin 2.x & 3.x should upgrade to version 3.1.3 or apply the provided patch.
Users of Kylin 4.x should upgrade to version 4.0.1 or apply the respective patch.
Configure

kylin.security.encrypt.cipher.ivSpec

in kylin.properties after the upgrade.
Re-encrypt passwords for enhanced security.

Long-Term Security Practices

Regularly update to the latest versions of Apache Kylin.

Patching and Updates

Apply patches provided by Apache Kylin to fix the hardcoded credentials vulnerability.