Security Advisory - 29th April 2021

Security Advisory: Potential for Unauthorised Access to Matillion Server

MAT-PSA-METL-2021-001

Overview

Matillion has released a hot fix for a security issue relating to our High Availability (HA) functionality that could allow an attacker to access credential data stored within Matillion ETL if executed from within your VPC.

It is unlikely that this vulnerability would have been exploited as it requires both access to the same VPC that is running a Matillion ETL instance, coupled with in-depth knowledge of the product. Matillion customers should upgrade to the latest security patch on the version identified below. This has been thoroughly tested on all platforms and is available now.

Description

Matillion ETL makes use of Hazelcast for some of its HA functionality. The variant of Hazelcast used in older versions of Matillion ETL did not provide adequate protection for communication across a Hazelcast cluster or adequately authenticate new nodes to the cluster. As a result an attacker within the same VPC could join the cluster to query information available to Hazelcast such as access keys and credentials.

Due to the way that Matillion ETL is packaged, this issue affects all versions of ETL, regardless if HA functionality is currently deployed.

Impact

An attacker who was able to exploit this vulnerability would be able to access any configuration information shared between Hazelcast nodes such as secrets and credentials

Affected product and versions

Matillion ETL all versions prior to 1.53.10, 1.51.8 and 1.50.11

Solution

The vulnerability is fixed in all Matillion ETL products version 1.53.10 and newer. To remediate this vulnerability upgrade immediately

Vulnerability details

Vulnerability Metrics

Overall Score 7.3

CVSS Rating High

CVSS V3 Vector
AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:R/CR:H/IR:H/AR:H/MAV:A/MAC:H/MPR:H/MUI:R/MS:U/MC:H/MI:H/MA:H