CVE-2022-23942
📋 TL;DR
CVE-2022-23942 is a vulnerability in Apache Doris where hardcoded cryptographic keys and initialization vectors (IVs) were used for encrypting LDAP passwords. This allows attackers to decrypt stored LDAP passwords, potentially leading to credential theft and unauthorized access. Organizations using Apache Doris versions before 1.0.0 with LDAP authentication enabled are affected.
💻 Affected Systems
- Apache Doris
📦 What is this software?
Doris by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers decrypt all LDAP passwords stored in the system, gain administrative access to the database, and potentially pivot to other systems using the same credentials.
Likely Case
Attackers with access to the encrypted password storage decrypt LDAP credentials and gain unauthorized access to the Apache Doris database.
If Mitigated
With proper network segmentation and access controls, impact is limited to the database instance itself without lateral movement.
🎯 Exploit Status
Exploitation requires access to the encrypted password storage. The hardcoded keys are publicly known, making decryption trivial once encrypted data is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0 and later
Vendor Advisory: https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt
Restart Required: Yes
Instructions:
1. Upgrade Apache Doris to version 1.0.0 or later. 2. Restart all Doris services. 3. If using LDAP, consider rotating LDAP passwords after upgrade.
🔧 Temporary Workarounds
Disable LDAP Authentication
allTemporarily disable LDAP authentication until patching is complete
Modify fe.conf: enable_ldap_auth = false
Restart Doris FE service
Network Isolation
linuxRestrict network access to Doris instances
iptables -A INPUT -p tcp --dport 9030 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 9030 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can connect to Apache Doris instances
- Monitor for unusual authentication attempts and review access logs regularly
🔍 How to Verify
Check if Vulnerable:
Check Apache Doris version: grep 'doris_version' /path/to/doris/logs/fe.log or check the web UI. If version is below 1.0.0 and LDAP is enabled, the system is vulnerable.Check Version:
curl http://<doris_fe_host>:8030/api/health | grep versionVerify Fix Applied:
Verify version is 1.0.0 or higher and check that LDAP authentication still functions properly after upgrade.📡 Detection & Monitoring
Log Indicators:
- Multiple failed LDAP authentication attempts from unusual sources
- Successful LDAP logins from unexpected IP addresses or users
Network Indicators:
- Unusual traffic patterns to Doris ports (9030, 8030) from unauthorized sources
SIEM Query:
source="doris_fe.log" AND ("LDAP" AND ("failed" OR "success")) | stats count by src_ip, user🔗 References
- http://www.openwall.com/lists/oss-security/2022/04/26/2
- http://www.openwall.com/lists/oss-security/2022/04/26/3
- https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt
- http://www.openwall.com/lists/oss-security/2022/04/26/2
- http://www.openwall.com/lists/oss-security/2022/04/26/3
- https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt
