The maintainers of Apache Superset have released a patch to address a vulnerability that could allow attackers to execute remote code. The flaw (CVE-2023-27524) affects Apache Superset versions up to and including 2.0.1, and is related to the use of a default SECRET_KEY that attackers can use to gain access to unauthorized resources.
Attackers who have knowledge of the SECRET_KEY could log in as administrators, harvest credentials, and compromise data.
A cybersecurity firm discovered that 918 of the 1,288 publicly-accessible Apache Superset servers it surveyed were using the default configuration in October 2021.
The vulnerability does not affect Apache Superset instances that have changed the default value for the SECRET_KEY configuration to a more secure random string.
On January 11, 2022, the project maintainers attempted to address the issue by rotating the SECRET_KEY value to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET” in the Python code.
However, an expanded search conducted in February 2023 using four keys uncovered 3,176 instances, with 2,124 using one of the default keys. Some of the affected organizations are large corporations, small companies, government agencies, and universities.
A new update (version 2.1) was released on April 5, 2023, to plug the security hole by preventing the server from starting up if it is configured with the default SECRET_KEY. However, the fix is not foolproof, as Superset can still be run with a default SECRET_KEY if installed through a docker-compose file or a helm template.
Some configurations also set admin/admin as the default credential for the admin user. A Python script has been made available to determine if Superset instances are susceptible to the flaw.
Naveen Sunkavally, the chief architect at Horizon3.ai, has suggested that applications should be designed to force users along a path where they have no choice but to be secure by default.
