CVE-2021-45456 – Apache Kylin 4.0.0 contains a command injection... (How to Fix)

Q: What is the severity of CVE-2021-45456?

CVE-2021-45456 has a CVSS score of 9.8 (CRITICAL). Apache Kylin 4.0.0 contains a command injection vulnerability in DiagnosisService where improper validation of project names allows attackers to execute arbitrary shell commands. This vulnerability affects all Apache Kylin 4.0.0 installations and can lead to complete system compromise.

📋 TL;DR

Apache Kylin 4.0.0 contains a command injection vulnerability in DiagnosisService where improper validation of project names allows attackers to execute arbitrary shell commands. This vulnerability affects all Apache Kylin 4.0.0 installations and can lead to complete system compromise.

💻 Affected Systems

Products:

Apache Kylin

Versions: 4.0.0 only

Operating Systems: All operating systems running Apache Kylin

Default Config Vulnerable: ⚠️ Yes

Notes: All Apache Kylin 4.0.0 installations are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with root/system privileges, allowing complete takeover of the server, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution with the privileges of the Kylin service account, enabling data theft, service disruption, and installation of backdoors.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege service accounts, and input validation are implemented.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to authenticated users or attackers who gain initial access to the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Kylin 4.0.1 or later

Vendor Advisory: https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf

Restart Required: Yes

Instructions:

1. Backup your Kylin configuration and data. 2. Stop the Kylin service. 3. Upgrade to Apache Kylin 4.0.1 or later. 4. Restart the Kylin service. 5. Verify the fix by testing project name validation.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to Kylin instances to only trusted IP addresses

iptables -A INPUT -p tcp --dport 7070 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 7070 -j DROP

Service Account Restriction

linux

Run Kylin with a non-privileged service account with minimal permissions

useradd -r -s /bin/false kylin_user
chown -R kylin_user:kylin_user /opt/kylin

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Kylin instances
Deploy web application firewall (WAF) rules to block command injection patterns in project names

🔍 How to Verify

Check if Vulnerable:

Check if running Apache Kylin version 4.0.0 by examining version files or service output

Check Version:

cat /opt/kylin/version.txt 2>/dev/null || grep -i version /opt/kylin/logs/*.log

Verify Fix Applied:

Verify installation of Apache Kylin 4.0.1 or later and test that project names with shell metacharacters are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in Kylin logs
Project names containing shell metacharacters like ;, |, &, $
Failed authentication attempts followed by successful command execution

Network Indicators:

Unusual outbound connections from Kylin server
Traffic to unexpected ports from Kylin service

SIEM Query:

source="kylin.logs" AND ("DiagnosisService" OR "project.*[;&|$]")

📊 Metadata

CVE ID: CVE-2021-45456

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: January 6, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/01/06/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45456, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Kylin by Apache

Kylin by Apache

Kylin by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Isolation

Service Account Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities