CVE-2022-24697: Apache Kylin Command Injection Vulnerability

Apache Kylin released the latest security bulletin on October 11, which contains a command injection vulnerability (CVE-2022-24697). The severity is important. The security researcher Kai Zhao of the ToTU Security Team has been credited with reporting this flaw.

Apache Kylin is an open-source Distributed Analytical Data Warehouse for Big Data; it was designed to provide OLAP (Online Analytical Processing) capability in the big data era. By renovating the multi-dimensional cube and precalculation technology on Hadoop and Spark, Kylin is able to achieve near-constant query speed regardless of the ever-growing data volume. Reducing query latency from minutes to sub-second, Kylin brings online analytics back to big data.

CVE-2022-24697 was caused by a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. By sending a specially-crafted request using the value parameter, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

“RCE can be implemented by closing the single quotation marks around the parameter value of “– conf=” to inject any operating system command into the command line parameters,” reads the mailing archive.

Affected version

• Apache Kylin version 4.0.1 and above

Unaffected version

• Apache Kylin version 4.0.2

Solution

At present, Apache Kylin has fixed the above vulnerability in the latest version, please install the unaffected version or apply a patch as soon as possible.