[CVE-2020-1956] Apache Kylin command injection vulnerability

A team of cyber security awareness specialists recently revealed the finding of a critical vulnerability in Apache Kylin, the open source distributed analytics engine designed to provide a SQL interface and multidimensional analytics in Hadoop and Alluxio that support extremely large datasets.

According to the report, the security flaw, tracked as CVE-2020-1956, would allow remote code execution on vulnerable systems.

Apparently there are some relaxing APIs in Kylin, which can connect operating system commands to the string entered by the user. Because user input is not properly verified, threat actors could execute any system command without any verification.

Cyber security awareness experts also mentioned that proof of concept for the vulnerability was revealed, and users of affected deployments were also asked to take the necessary steps to protect their systems. According to the report, the affected versions are:

  • Kylin 2.3.0 – 2.3.2
  • Kylin 2.4.0 – 2.4.1
  • Kylin 2.5.0 – 2.5.2
  • Kylin 2.6.0 – 2.6.5
  • Kylin 3.0.0-alpha
  • Kylin 3.0.0-alpha2
  • Kylin 3.0.0-beta
  • Kylin 3.0.0 – 3.0.1

On the other hand, Kylin versions 2.6.6 and Kylin 3.0.2 are not affected by the vulnerability.

To fix the flaw, Apache Kylin developers fixed the flaw in the latest software releases (2.6.6 and 3.0.2). Users are strongly encouraged to upgrade to fixed versions as soon as possible to mitigate the risk of exploitation.

In case users are unable to install the updates, users will be able to set kylin.tool.auto-migrate-cube.enabled to false, which will disable the execution of remote commands, cyber security awareness experts mention.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.