CVE-2023-27987 - How Simple Default Tokens in Apache Linkis <=1.3.1 Lead to Easy Exploits (With Example and Fix)

Published: June 2024

Author: [Exclusive Write-up]

Apache Linkis is a popular middleware that connects data applications (like BI, notebooks, and IDEs) with multiple computation engines. But improper security can open the door to attackers. This post breaks down CVE-2023-27987, a real vulnerability in Apache Linkis (versions 1.3.1 and below), explains how it works, why it matters, and how to fix it—with readable code samples and references.

What is CVE-2023-27987?

Simply put, the default token generated by Linkis’ Gateway (used for admin authentication) is too simple and predictable in versions <=1.3.1. If you deploy Linkis and don’t immediately change the default token, attackers can guess it and gain admin-like access to your Linkis instance.

Why does it exist?

- The Linkis Gateway deploy script generates a default token following a predictable or "weak" formula.
- No random value/salt is added, so it’s easy for attackers to figure out what the token is.

Let’s look at the kind of code responsible (simplified for explanation)

// Pseudo-code from older Linkis Gateway (<=1.3.1)
public class TokenManager {
    public String generateDefaultToken() {
        // WARNING: This is too simple!
        return "linkis" + "123456";
    }
}

The token here (linkis123456) is obviously easy to guess. Attackers just use common tokens or even reference docs/source code.

How would an attacker abuse it?

1. Reconnaissance: They detect a Linkis instance—maybe using the default URLs/endpoints.

Gain Unauthorized Access: With this token, they now act as an administrator or authorized user.

4. Impact: Access to sensitive data, job submission abilities, or further movement inside the network.

Sample cURL Request (using default token)

curl -H "Token-Code: linkis123456" http://your-linkis-server:9001/api/rest_j/v1/job/history

If the server is unpatched and the default token is valid, this request may list job histories—potentially revealing sensitive data.

How would a pentester or red team find this?

- Scan a target for Linkis endpoints (/api/rest_j/ etc.).

Move to other systems via lateral movement

All with zero "hacking skill"—just a guessable token.

1. Upgrade ASAP

Upgrade to Linkis 1.3.2 or higher. This version changes token generation to include random values, making them impossible to predict.

Download new version here:  
https://linkis.apache.org/docs/latest/download/

2. Manually Set Strong Tokens

Even after upgrade, always set a non-default, strong, random token and never share it.

- Use a long, random string (at least 16 chars, mix of upper/lower case, numbers, symbols).

Sample Secure Token Setting (properties file)

wds.linkis.gateway.admin.token=my$eCur3RandmToKEN2024!

Official Apache Security Advisory:

https://lists.apache.org/thread/pnf09gygt2wytgs1fs7tmrlnl3cn7jln

Token Authorization Docs:

https://linkis.apache.org/docs/latest/auth/token
- Release Notes/Fixes:  
 https://linkis.apache.org/docs/latest/release_note/

Don’t rely on defaults for any production deployments.

- Always review install/upgrade guides for any software.

***

Stay safe. Patch often. Use random tokens.  
*For more exclusive CVE breakdowns—follow and subscribe!*


Categories: #CVE #ApacheLinkis #Infosec #TokenSecurity

Timeline

Published on: 04/10/2023 08:15:00 UTC
Last modified on: 04/14/2023 08:15:00 UTC