Apache Kylin OS Command Injection Vulnerability

A command injection vulnerability has been identified in Apache Kylin versions 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, and 3.0.1. This vulnerability arises from certain RESTful APIs that concatenate user input with operating system commands, executing them on the server without proper validation. As a result, users may be able to execute arbitrary OS commands remotely.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Apache Kylin is running.

Remediation

Users of Apache Kylin should upgrade to version 3.1.0. For those using versions 2.3.0 through 2.6.5, the Kylin configuration option 'kylin.tool.auto-migrate-cube.enabled' can be set to false to disable the vulnerable command execution feature.