Vulnerability (Detailed)
Execution services use static MinIO secret.
A security vulnerability has been discovered in all versions of KNIME Business Hub. We've identified that the current Kubernetes secret configuration could potentially allow parties with specific credential knowledge to interact with job-related data on accessible KNIME Business Hub installations.
The corresponding CVE record CVE-2025-2402 will be made public on March, 31st 2025.
Affected Versions
All versions of KNIME Business Hub (version 1.13.x, 1.12.x, 1.11.x, 1.10.x or older).
Severity
The vulnerability is rated HIGH (CVSS Score 8.8).
Exploitability
We assess the risk of exploitation as very low. We proactively discovered the issue during our internal development process. It was not detected in any previous penetration tests, it is not publicly known, and it only affects our KNIME Business Hub software setup.
What do you need to do?
We strongly recommend upgrading to one of the following patched versions as soon as possible:
Workaround
There is no viable workaround for this issue.
Forensic analysis
It is possible to verify whether the vulnerability has been exploited by reviewing requests made to the embedded object store (MinIO). These requests are logged by the ingress-nginx-controller container. Suspicious activity may be identified if you observe:
Such requests should be considered potentially suspicious and warrant further investigation. We have included some examples for your reference.
Some examples:
10.32.0.151 - - [17/Mar/2025:08:33:32 +0000] "GET /knime-execution-jobs/?prefix=8de33689-2a58-4379-9459-c7363cf0f912&encoding-type=url HTTP/1.1" 200 337 "-" "aws-sdk-java/1.12.668 Linux/5.15.0-1052-aws OpenJDK_64-Bit_Server_VM/21.0.6+7-LTS java/21.0.6 vendor/Eclipse_Adoptium cfg/retry-mode/legacy" 899 0.003 [knime-minio-9000] [] 10.32.0.191:9000 337 0.003 200 ba9f80c8e8d69153e90241dac3b23fa3
31.32.33.34 - - [17/Mar/2025:09:00:59 +0000] "GET /knime-execution-jobs/9edf7f92-ddf6-42a0-bae9-5155705c8070/job-output-output-parameter?response-content-disposition=attachment%3B%20filename%3D%22external-node-input-13871012486525021181.table%22&response-content-type=application%2Foctet-stream&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250317T090059Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=execution-services%2F20250317%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ed508177b09d4f31408c91d5a4f3ee0ec11880c43f477d4d3e1a24eaa843ac72 HTTP/1.1" 200 8489 "-" "Apache-CXF/4.0.4" 834 0.001 [knime-minio-9000] [] 10.32.0.240:9000 8489 0.001 200 cac08bfd85465a5793ffaefab87bf95a
31.32.33.34 - - [19/Mar/2025:08:15:39 +0000] "PUT /knime-execution-jobs/02ad998d-75c0-49cd-a97c-befc6c873244/job.log?x-id=PutObject HTTP/2.0" 200 0 "-" "aws-sdk-go-v2/1.26.1 os/linux lang/go#1.23.6 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.1 ft/s3-transfer" 38324 0.047 [knime-minio-9000] [] 10.32.0.157:9000 0 0.047 200 65070e5bfa768309db09e09e72e4ea9c
If you have any questions or require additional guidance, please contact support@knime.com.