[SECURITY] Urgent Security Advisory
Security vulnerabilities have been identified in older versions of Yellowfin that may impact customers who have not yet upgraded to the latest versions.
We urge all Customers to upgrade their Yellowfin installations as soon as possible to a non-affected version - either 9.8.1.3 or 8.0.11.3.
NOTE: 9.8.1.3 was released 16/02/2023 with some additional fixes which can be found via our Release Notes here.
8.0.11.2 already contains fixes for all vulnerabilities except SEC-772.
Please contact support with any questions or issues about this security advisory. If you need help with your upgrade or other Yellowfin advisory services, please contact our team here, and a member and we will reach out to you.
An authentication bypass became possible via StoryBodyAction (Yellowfin ID SEC-773)
Fixed in version: 9.8.1.1, 8.0.11.2
Affected versions: Version 8: 8.0.3 and above prior to 8.0.11.2; Version 9: All versions prior to 9.8.1.1
There are no function checks on StoryBodyAction, so it is always available and can not be disabled with Role Functions. This is run prior to authenticating a user and therefore doesn’t know who the user is and whether functionality should be restricted.
The encryption that happens on StoriesApiService, doesn’t use Yellowfin’s internal Crypto functions and therefore cannot be remedied by the Custom Encryption Key task.
Another authentication bypass existed in the JsAPI Servlet because of the EXTAPI-IPID cookie (Yellowfin ID SEC-774)
Fixed in version: 9.8.1.1, 8.0.11.2
Affected versions: Version 7: 7.3 and above; Version 8: All versions prior to 8.0.11.2; Version 9: All versions prior to 9.8.1.1
There are no function checks on this functionality, as it is prior to authenticating a user and therefore doesn’t know who the user is and whether functionality should be restricted.
The encryption that happens on JsAPI2AuthHandler uses a legacy Crypto function and therefore cannot be remedied by the Custom Encryption Key task.
The JWT implementation inside the REST API relied on a hardcoded key, allowing the creation of a forged JWT token (Yellowfin ID SEC-770)
Fixed in version: 9.8.1.1, 8.0.11.2
Affected versions: Version 8: 8.0.3 and above prior to 8.0.11.2; Version 9: All versions prior to 9.8.1.1
There are no function checks on this functionality, and it cannot be disabled with a role function.
The exploitable component does not use any of Yellowfin’s encryption infrastructure so therefore cannot be remedied by the Custom Encryption Key task.
Preventing access to /api/* end-points can disable this exploit.
Execution of arbitrary commands via Java Naming and Directory Interface (JNDI) injections (Yellowfin ID SEC-772)
Fixed in version: 9.8.1.1 and 8.0.11.3
Affected versions: Version 7: All versions; Version 8: All versions prior 8.0.11.3; Version 9: All versions prior to 9.8.1.1
The JNDI interface allows for other non-datasource end-points to be accessed which can lead to code injection.
Regards,
The Yellowfin Team
Replies have been locked on this page!