Security Advisory - 29th April 2021
Security Advisory: Potential for Unauthorised Access to Matillion Server
MAT-PSA-METL-2021-001
Overview
Matillion has released a hot fix for a security issue relating to our High Availability (HA) functionality that could allow an attacker to access credential data stored within Matillion ETL if executed from within your VPC.
It is unlikely that this vulnerability would have been exploited as it requires both access to the same VPC that is running a Matillion ETL instance, coupled with in-depth knowledge of the product. Matillion customers should upgrade to the latest security patch on the version identified below. This has been thoroughly tested on all platforms and is available now.
Description
Matillion ETL makes use of Hazelcast for some of its HA functionality. The variant of Hazelcast used in older versions of Matillion ETL did not provide adequate protection for communication across a Hazelcast cluster or adequately authenticate new nodes to the cluster. As a result an attacker within the same VPC could join the cluster to query information available to Hazelcast such as access keys and credentials.
Due to the way that Matillion ETL is packaged, this issue affects all versions of ETL, regardless if HA functionality is currently deployed.
Impact
An attacker who was able to exploit this vulnerability would be able to access any configuration information shared between Hazelcast nodes such as secrets and credentials
Affected product and versions
Matillion ETL all versions prior to 1.53.10, 1.51.8 and 1.50.11
Solution
The vulnerability is fixed in all Matillion ETL products version 1.53.10 and newer. To remediate this vulnerability upgrade immediately
Vulnerability details
| Published Date | April 29, 2021 |
| Vulnerability Type | Command Injection / Information Disclosure |
Vulnerability Metrics
Overall Score 7.3
CVSS Rating High
CVSS V3 Vector
AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:R/CR:H/IR:H/AR:H/MAV:A/MAC:H/MPR:H/MUI:R/MS:U/MC:H/MI:H/MA:H