I. Overview

Apache Kylin has officially released a vulnerability security issue, disclosing the command injection vulnerability (CVE-2020-1956) in a few Kylin versions. Apache Kylin™ is an open-source, distributed, and analytical data warehouse. Kylin has some APIs that will concat operating system command with the user input string. As a result, a user is likely to be able to execute any operating system command without any protection or validation.

Therefore, we kindly remind Apache Kylin users to arrange self-check and implement timely security hardening.

Security issue link:

https://kylin.apache.org/docs/security.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Apache Kylin 2.3.0 to 2.3.2

Apache Kylin 2.4.0 to 2.4.1

Apache Kylin 2.5.0 to 2.5.2

Apache Kylin 2.6.0 to 2.6.5

Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Kylin 3.0.1

Secure Versions:

Apache Kylin 3.0.2 or 2.6.6

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

Download link:

https://kylin.apache.org/download/

Mitigation measure: Set kylin.tool.auto-migrate-cube.enabled to false to disable command execution.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.