Security News > 2023 > April > Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks
The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution.
Ai, described the issue as "a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data."
It's worth noting that the flaw does not affect Superset instances that have changed the default value for the SECRET KEY config to a more cryptographically secure random string.
The cybersecurity firm, which found that the SECRET KEY is defaulted to the value "x02x01thisismyscretkeyx01x02eyyh" at install time, said that 918 out of 1,288 publicly-accessible servers were using the default configuration in October 2021.
Following responsible disclosure to the Apache security team a second time, a new update was released on April 5, 2023, to plug the security hole by preventing the server from starting up altogether if it's configured with the default SECRET KEY. UPCOMING WEBINAR. Zero Trust + Deception: Learn How to Outsmart Attackers!
"The docker-compose file contains a new default SECRET KEY of TEST NON DEV SECRET that we suspect some users will unwittingly run Superset with. Some configurations also set admin/admin as the default credential for the admin user."
News URL
https://thehackernews.com/2023/04/apache-superset-vulnerability-insecure.html
Related news
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration (source)
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- New NachoVPN attack uses rogue VPN servers to install malicious updates (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)