The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a four-year-old security flaw affecting Apache Flink to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation.
The flaw, tracked as CVE-2020-17519, poses significant risks due to improper access control, allowing unauthorized access to sensitive information.
Researchers Observed Active Exploitation of Apache Flink Vulnerability
CISA describes vulnerabilities such as the Apache Flink Vulnerability which have been added to its Known Exploited Vulnerabilities catalog as “frequent attack vectors for malicious cyber actors” and as posing significant risks to the federal enterprise. The catalog serves as a critical resource for identifying and mitigating vulnerabilities actively in use.
CVE-2020-17519 is a critical vulnerability in Apache Flink, an open-source framework for stream-processing and batch-processing. The flaw arises from improper access control in versions 1.11.0, 1.11.1, and 1.11.2 of the framework, potentially enabling remote attackers to access files specific to the local JobManager filesystem through the use of specially crafted directory traversal requests, leading to unauthorized access.
While precise details of ongoing campaigns exploiting the Apache Flink Vulnerability remain unclear, the bug has existed for at least four years and has been acknowledged by a project maintainer. The project Apache Flink thread states:
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.
Access is restricted to files accessible by the JobManager process.
The discovery of the vulnerability was credited to “0rich1” from Ant Security FG Lab, with working exploit code of the vulnerability available on the public web. In the same year, researchers from Palo Alto Networks had observed the vulnerability among the most commonly exploited vulnerabilities during the Winter 2020 period using information collected between November 2020 and January 2021.
Mitigation Measures and Binding Directives
The Apache Software Foundation addressed this issue in January 2021 with the release of Flink versions 1.11.3 and 1.12.0 to the master branch of the project. Users running affected versions are strongly urged to upgrade to these versions to secure their systems.
CISA has mandated federal agencies to apply necessary patches by June 13, 2024. This directive operates under the Binding Operational Directive (BOD) which requires Federal Civilian Executive Branch (FCEB) agencies to implement fixes for listings in the Known Exploited Vulnerabilities Catalog to protect agency networks against active threats.
Although the directive only applies to FCEB agencies, CISA has urged all organizations to reduce their exposure to cyberattacks through applying the mitigations in the catalog as per vendor instructions or to discontinue the use of affected products if mitigations are unavailable.
In 2022, a critical vulnerability discovered in Apache Commons Text potentially granted threat actors access to remote servers. While fixes were soon released for both vulnerabilities, these incidents highlight the importance of timely updates and patches for vulnerabilities present in widely deployed open-source projects, frameworks and components.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
