CVE-2021-45458: Inadequate Encryption Strength

January 6, 2022 (updated July 21, 2023)

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin’s configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

References

www.openwall.com/lists/oss-security/2022/01/06/3
www.openwall.com/lists/oss-security/2022/01/06/7
lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy
nvd.nist.gov/vuln/detail/CVE-2021-45458

Detect and mitigate CVE-2021-45458 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →