CVE-2021-45458 - OpenCVE

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Kylin

Configuration 1 [-]

OR	cpe:2.3:a:apache:kylin::::::::
	cpe:2.3:a:apache:kylin::::::::
	cpe:2.3:a:apache:kylin:4.0.0:-::::::
	cpe:2.3:a:apache:kylin:4.0.0:alpha::::::
	cpe:2.3:a:apache:kylin:4.0.0:beta::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/01/06/3
http://www.openwall.com/lists/oss-security/2022/01/06/7
https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-06T12:35:24

Updated: 2024-08-04T04:39:21.117Z

Reserved: 2021-12-21T00:00:00

Link: CVE-2021-45458

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-06T13:15:08.330

Modified: 2023-07-21T16:52:45.507

Link: CVE-2021-45458

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Kylin", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.6.6", "status": "affected", "version": "Apache Kylin 2", "versionType": "custom"}, {"lessThanOrEqual": "3.1.2", "status": "affected", "version": "Apache Kylin 3", "versionType": "custom"}, {"lessThanOrEqual": "4.0.0", "status": "affected", "version": "Apache Kylin 4", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Alvaro Munoz <pwntester@github.com>"}], "descriptions": [{"lang": "en", "value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-06T15:06:18", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"}, {"name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"}, {"name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Hardcoded credentials", "workarounds": [{"lang": "en", "value": "Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.\n\nAfter upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-45458", "STATE": "PUBLIC", "TITLE": "Hardcoded credentials"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Kylin", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache Kylin 2", "version_value": "2.6.6"}, {"version_affected": "<=", "version_name": "Apache Kylin 3", "version_value": "3.1.2"}, {"version_affected": "<=", "version_name": "Apache Kylin 4", "version_value": "4.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Alvaro Munoz <pwntester@github.com>"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798 Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy", "refsource": "MISC", "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"}, {"name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"}, {"name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.\n\nAfter upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:21.117Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"}, {"name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"}, {"name": "[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-45458", "datePublished": "2022-01-06T12:35:24", "dateReserved": "2021-12-21T00:00:00", "dateUpdated": "2024-08-04T04:39:21.117Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "matchCriteriaId": "7ED3ED46-D80F-4D42-9973-9F075B946351", "versionEndIncluding": "2.6.6", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EB6EBBD-9C39-45B1-9EED-9D99228D0D76", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kylin:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "A9ED56E6-4BD6-410A-894C-350295DB8443", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kylin:4.0.0:alpha:*:*:*:*:*:*", "matchCriteriaId": "7CBD3E44-4EB4-474D-911C-3C1ED9061DCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kylin:4.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "BE87BCCF-8188-44F3-A727-808A8D6C45B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."}, {"lang": "es", "value": "Apache Kylin proporciona clases de cifrado PasswordPlaceholderConfigurer para ayudar a usuarios a cifrar sus contrase\u00f1as. En el algoritmo de cifrado usado por esta clase de cifrado, el cifrado es inicializado con una clave y un IV embebidos. Si los usuarios usan la clase PasswordPlaceholderConfigurer para cifrar su contrase\u00f1a y la configuran en el archivo de configuraci\u00f3n de kylin, se presenta el riesgo de que la contrase\u00f1a pueda ser descifrada. Este problema afecta a Apache Kylin 2 versiones 2.6.6 y anteriores; Apache Kylin 3 versiones 3.1.2 y anteriores; Apache Kylin 4 versiones 4.0.0 y anteriores."}], "id": "CVE-2021-45458", "lastModified": "2023-07-21T16:52:45.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-06T13:15:08.330", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/3"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/7"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}, {"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "security@apache.org", "type": "Secondary"}]}