Security Advisory for CVE-2025-2402

Description

Vulnerability (Detailed)

Execution services use static MinIO secret.

A security vulnerability has been discovered in all versions of KNIME Business Hub. We've identified that the current Kubernetes secret configuration could potentially allow parties with specific credential knowledge to interact with job-related data on accessible KNIME Business Hub installations.

The corresponding CVE record CVE-2025-2402 will be made public on March, 31st 2025.

Affected Versions

All versions of KNIME Business Hub (version 1.13.x, 1.12.x, 1.11.x, 1.10.x or older).

Severity

The vulnerability is rated HIGH (CVSS Score 8.8).

Exploitability

We assess the risk of exploitation as very low. We proactively discovered the issue during our internal development process. It was not detected in any previous penetration tests, it is not publicly known, and it only affects our KNIME Business Hub software setup.

What do you need to do?

We strongly recommend upgrading to one of the following patched versions as soon as possible:

KNIME Business Hub version 1.13.x, please upgrade to 1.13.2.
KNIME Business Hub version 1.12.x, please upgrade to 1.12.3.
KNIME Business Hub version 1.11.x, please upgrade to 1.11.3.
KNIME Business Hub version 1.10.x or older, please upgrade to 1.10.3.

Workaround

There is no viable workaround for this issue.

Forensic analysis

It is possible to verify whether the vulnerability has been exploited by reviewing requests made to the embedded object store (MinIO). These requests are logged by the ingress-nginx-controller container. Suspicious activity may be identified if you observe:

Requests originating from a cluster-external IP address,
Requests with a path prefix of /knime-execution-jobs, and
Requests lacking parameters such as X-Amz-Signature or X-Amz-Credential, indicating they are not pre-signed URLs.

Such requests should be considered potentially suspicious and warrant further investigation. We have included some examples for your reference.

Some examples:

Cluster internal requests are no indication of an attack

10.32.0.151 - - [17/Mar/2025:08:33:32 +0000] "GET /knime-execution-jobs/?prefix=8de33689-2a58-4379-9459-c7363cf0f912&encoding-type=url HTTP/1.1" 200 337 "-" "aws-sdk-java/1.12.668 Linux/5.15.0-1052-aws OpenJDK_64-Bit_Server_VM/21.0.6+7-LTS java/21.0.6 vendor/Eclipse_Adoptium cfg/retry-mode/legacy" 899 0.003 [knime-minio-9000] [] 10.32.0.191:9000 337 0.003 200 ba9f80c8e8d69153e90241dac3b23fa3

External requests with pre-signed URLs are no indication of an attack

31.32.33.34 - - [17/Mar/2025:09:00:59 +0000] "GET /knime-execution-jobs/9edf7f92-ddf6-42a0-bae9-5155705c8070/job-output-output-parameter?response-content-disposition=attachment%3B%20filename%3D%22external-node-input-13871012486525021181.table%22&response-content-type=application%2Foctet-stream&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250317T090059Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=execution-services%2F20250317%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ed508177b09d4f31408c91d5a4f3ee0ec11880c43f477d4d3e1a24eaa843ac72 HTTP/1.1" 200 8489 "-" "Apache-CXF/4.0.4" 834 0.001 [knime-minio-9000] [] 10.32.0.240:9000 8489 0.001 200 cac08bfd85465a5793ffaefab87bf95a

External requests without presigned URLs - the corresponding headers are missing - are suspicious, they don’t happen under normal operation

31.32.33.34 - - [19/Mar/2025:08:15:39 +0000] "PUT /knime-execution-jobs/02ad998d-75c0-49cd-a97c-befc6c873244/job.log?x-id=PutObject HTTP/2.0" 200 0 "-" "aws-sdk-go-v2/1.26.1 os/linux lang/go#1.23.6 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.1 ft/s3-transfer" 38324 0.047 [knime-minio-9000] [] 10.32.0.157:9000 0 0.047 200 65070e5bfa768309db09e09e72e4ea9c

If you have any questions or require additional guidance, please contact support@knime.com.