CVE-2021-45458: 
Java vulnerability analysis and mitigation

Apache Kylin's encryption class PasswordPlaceholderConfigurer, designed to help users encrypt passwords, contains a vulnerability where the cipher is initialized with a hardcoded key and IV. This vulnerability affects Apache Kylin 2 version 2.6.6 and prior versions, Apache Kylin 3 version 3.1.2 and prior versions, and Apache Kylin 4 version 4.0.0 and prior versions. The vulnerability was disclosed on January 6, 2022 (NVD, Apache Advisory).

The vulnerability exists in org.apache.kylin.common.util.EncryptUtil where the cipher is initialized with a hardcoded key and IV. The implementation uses AES/CFB/PKCS5Padding encryption with a static key and initialization vector, making it susceptible to unauthorized decryption. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

If users utilize the PasswordPlaceholderConfigurer class to encrypt their passwords and store them in Kylin's configuration file, there is a risk that these passwords could be decrypted by malicious actors due to the hardcoded encryption parameters (OSS Security).

Users of Kylin 2.x & Kylin 3.x should upgrade to version 3.1.3 or apply the patch from https://github.com/apache/kylin/pull/1782. Users of Kylin 4.x should upgrade to version 4.0.1 or apply the patch from https://github.com/apache/kylin/pull/1781. After upgrading, users need to configure the value of kylin.security.encrypt.cipher.ivSpec in kylin.properties for the encryption algorithm and re-encrypt their passwords (OSS Security).