CVE-2022-43396 & CVE-2022-44621: Command injection in Apache Kylin
The Apache project patched the two high-severity security vulnerabilities in Apache Kylin that, if left unaddressed, could be exploited to gain remote code execution (RCE) on the affected system.
Apache Kylin is an open-source Distributed Analytical Data Warehouse for Big Data; it was designed to provide OLAP (Online Analytical Processing) capability in the big data era. By renovating the multi-dimensional cube and precalculation technology on Hadoop and Spark, Kylin is able to achieve near-constant query speed regardless of the ever-growing data volume. Reducing query latency from minutes to sub-second, Kylin brings online analytics back to big data.
The first flaw, tracked as CVE-2022-43396, could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a bypass flaw in the blocklist. By sending a specially-crafted request using the kylin.engine.spark-cmd parameter of conf, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
“In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf,” reads the mailing archive.
The second bug, tracked as CVE-2022-44621, could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an improper parameter validation flaw in the Diagnosis Controller. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
“Diagnosis Controller miss parameter validation, so user may be attacked by command injection via HTTP Request,” Apache Kylin wrote in its advisory.
Two researchers Yasax1 Li and Messy God have been credited for finding these vulnerabilities.
CVE-2022-43396 and CVE-2022-44621 affect Kylin 2.x & Kylin 3.x & 4.x. Apache Kylin users are encouraged to upgrade to version 4.0.3 or apply the patch to avoid possible exploitation.