CVE-2020-1956: Apache Kylin Remote Command Execution Vulnerability

Recently, Apache officially released a security bulletin that fixed an Apache Kylin remote command execution vulnerability (CVE-2020-1956). There are some restful APIs in Kylin, which can connect the operating system commands with the string entered by the user. Because the user input is not properly verified, the attacker can execute any system command without verification. At present, the PoC vulnerability has been disclosed, and relevant users are requested to take timely measures to protect them.

Affected version

• Kylin 2.3.0 – 2.3.2
• Kylin 2.4.0 – 2.4.1
• Kylin 2.5.0 – 2.5.2
• Kylin 2.6.0 – 2.6.5
• Kylin 3.0.0-alpha
• Kylin 3.0.0-alpha2
• Kylin 3.0.0-beta
• Kylin 3.0.0 – 3.0.1

Unaffected version

• Kylin = 2.6.6
• Kylin = 3.0.2

Solution

At present, the Apache Kylin developer team has fixed the vulnerability in the latest versions 2.6.6 and 3.0.2. Please the users upgrade Apache Kylin to the unaffected version as soon as possible for protection.

If the relevant user is temporarily unable to perform the upgrade operation, the following temporary mitigation measures can be adopted: set kylin.tool.auto-migrate-cube.enabled to false to disable command execution