CVE-2021-27738 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-27738?

CVE-2021-27738 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to manipulate Apache Kylin's streaming cube management and replica sets via unprotected REST API endpoints. Attackers can perform administrative actions like assigning/unassigning streaming cubes and modifying replica sets, with limited SSRF capabilities. This affects Apache Kylin 3 installations prior to version 3.1.2.

📋 TL;DR

This vulnerability allows unauthenticated attackers to manipulate Apache Kylin's streaming cube management and replica sets via unprotected REST API endpoints. Attackers can perform administrative actions like assigning/unassigning streaming cubes and modifying replica sets, with limited SSRF capabilities. This affects Apache Kylin 3 installations prior to version 3.1.2.

💻 Affected Systems

Products:

Apache Kylin

Versions: Apache Kylin 3 versions prior to 3.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations of affected Kylin versions.

📦 What is this software?

Kylin by Apache

View all CVEs affecting Kylin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Kylin streaming infrastructure, unauthorized data manipulation, and limited server-side request forgery to internal systems.

🟠

Likely Case

Unauthorized administrative actions on streaming cubes and replica sets, potentially disrupting data processing pipelines.

🟢

If Mitigated

No impact if proper authentication and authorization controls are implemented.

🌐 Internet-Facing: HIGH - Unauthenticated access to administrative endpoints exposed to internet.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests to unprotected endpoints, no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Kylin 3.1.2 or later

Vendor Advisory: https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70

Restart Required: Yes

Instructions:

1. Backup current Kylin installation. 2. Download Kylin 3.1.2 or later from Apache website. 3. Stop Kylin service. 4. Replace with patched version. 5. Restart Kylin service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to Kylin Coordinator endpoints using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport [kylin-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [kylin-port] -j DROP

Reverse Proxy Authentication

all

Place Kylin behind a reverse proxy with authentication requirements.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Kylin from untrusted networks
Deploy web application firewall (WAF) with rules blocking unauthorized API calls to affected endpoints

🔍 How to Verify

Check if Vulnerable:

Test if unauthenticated HTTP requests to /kylin/api/streaming_coordinator/* endpoints are accepted.

Check Version:

Check Kylin version in web interface or configuration files, or run: curl http://[kylin-host]:[port]/kylin/api/about

Verify Fix Applied:

Verify that unauthenticated requests to affected endpoints return authentication errors (401/403).

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /kylin/api/streaming_coordinator/* endpoints
Unexpected cube assignment/unassignment events
Replica set modifications from unknown sources

Network Indicators:

HTTP POST/PUT/DELETE requests to streaming coordinator endpoints without authentication headers
Unusual traffic patterns to Kylin Coordinator API

SIEM Query:

source="kylin.log" AND (uri="/kylin/api/streaming_coordinator/*" AND NOT (user!="anonymous" OR auth_success="true"))

📊 Metadata

CVE ID: CVE-2021-27738

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-918

Published: January 6, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/01/06/6 Mailing List,Third Party Advisory
https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/6 Mailing List,Third Party Advisory
https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27738, you might also want to check these: