CVE-2021-45458 – Apache Kylin's PasswordPlaceholderConfigurer us... (How to Fix)

Q: What is the severity of CVE-2021-45458?

CVE-2021-45458 has a CVSS score of 7.5 (HIGH). Apache Kylin's PasswordPlaceholderConfigurer uses hardcoded encryption keys and initialization vectors, making encrypted passwords easily decryptable by anyone who knows the algorithm. This affects users who encrypted passwords with this class and stored them in Kylin configuration files. The vulnerability impacts Apache Kylin versions 2.6.6 and earlier, 3.1.2 and earlier, and 4.0.0 and earlier.

📋 TL;DR

Apache Kylin's PasswordPlaceholderConfigurer uses hardcoded encryption keys and initialization vectors, making encrypted passwords easily decryptable by anyone who knows the algorithm. This affects users who encrypted passwords with this class and stored them in Kylin configuration files. The vulnerability impacts Apache Kylin versions 2.6.6 and earlier, 3.1.2 and earlier, and 4.0.0 and earlier.

💻 Affected Systems

Products:

Apache Kylin

Versions: Apache Kylin 2: ≤2.6.6; Apache Kylin 3: ≤3.1.2; Apache Kylin 4: ≤4.0.0

Operating Systems: All platforms running affected Apache Kylin versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if users specifically used PasswordPlaceholderConfigurer to encrypt passwords and stored them in configuration files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers decrypt all encrypted passwords in configuration files, gaining unauthorized access to database credentials, service accounts, and other sensitive authentication data.

🟠

Likely Case

Attackers with access to configuration files can decrypt stored passwords, potentially compromising database connections and other integrated services.

🟢

If Mitigated

If passwords are stored using secure methods or systems are properly segmented, impact is limited to specific configuration files.

🌐 Internet-Facing: MEDIUM - While the vulnerability itself doesn't provide direct remote access, internet-facing Kylin instances with exposed configuration files could be targeted.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can easily decrypt passwords from accessible configuration files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to configuration files containing encrypted passwords. The hardcoded keys make decryption trivial once the encrypted data is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Kylin 2.6.7, 3.1.3, 4.0.1

Vendor Advisory: https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy

Restart Required: Yes

Instructions:

1. Backup configuration files. 2. Upgrade to patched version. 3. Re-encrypt all passwords using secure methods. 4. Restart Kylin services. 5. Verify new encryption is working.

🔧 Temporary Workarounds

Remove PasswordPlaceholderConfigurer usage

all

Replace encrypted passwords with plaintext or use secure external password management solutions

# Manually edit configuration files to replace encrypted values

Restrict configuration file access

linux

Apply strict file permissions to prevent unauthorized access to configuration files

chmod 600 kylin.properties
chown kylin:kylin kylin.properties

🧯 If You Can't Patch

Immediately re-encrypt all passwords using secure encryption methods with unique keys
Implement external secret management (Hashicorp Vault, AWS Secrets Manager, etc.) and remove passwords from configuration files

🔍 How to Verify

Check if Vulnerable:

Check configuration files for encrypted passwords and verify if PasswordPlaceholderConfigurer was used. Review Kylin version with 'kylin.sh version' or check installation directory.

Check Version:

./bin/kylin.sh version

Verify Fix Applied:

After upgrade, verify version is patched and test that new password encryption uses secure methods. Attempt to decrypt old encrypted values - they should fail with new implementation.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with previously encrypted passwords
Configuration file access logs showing unauthorized reads

Network Indicators:

Unusual database connections from Kylin server
Traffic patterns suggesting credential harvesting

SIEM Query:

source="kylin.log" AND ("PasswordPlaceholderConfigurer" OR "encryption failed" OR "authentication failure")

📊 Metadata

CVE ID: CVE-2021-45458

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-798

Published: January 6, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/01/06/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/7 Mailing List,Third Party Advisory
https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/7 Mailing List,Third Party Advisory
https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45458, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Kylin by Apache

Kylin by Apache

Kylin by Apache

Kylin by Apache

Kylin by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove PasswordPlaceholderConfigurer usage

Restrict configuration file access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities