CVE-2020-17518 in Flink
Summary
by MITRE • 01/05/2021
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/05/2021
This vulnerability represents a critical path traversal and arbitrary file write flaw in Apache Flink versions prior to 1.11.3 and 1.12.0, specifically affecting the REST API handler implementation. The security issue stems from insufficient input validation within the file upload mechanism that processes HTTP headers, allowing attackers to manipulate file destination paths through crafted header values. This weakness enables remote attackers to write malicious files to arbitrary locations on the file system where the Flink process has write permissions, potentially leading to privilege escalation and system compromise.
The technical implementation of this vulnerability resides in how Flink handles file upload operations through its REST interface, where HTTP headers containing file path information are not properly sanitized or validated before being processed. Attackers can exploit this by crafting malicious HTTP requests with modified header values that contain directory traversal sequences or absolute paths, bypassing normal access controls and file system restrictions. This flaw operates at the application layer and leverages the trust model inherent in REST API implementations, where legitimate headers are accepted without proper validation of their contents.
From an operational impact perspective, this vulnerability poses significant risks to organizations running exposed Flink instances, as it allows for arbitrary file system modifications that could lead to complete system compromise. The vulnerability affects all versions from 1.5.1 through the affected releases, making it a widespread concern for deployment environments. Attackers could potentially overwrite critical system files, inject malicious code into running processes, or establish persistence mechanisms through file creation in system directories accessible by the Flink service account.
The fix implemented in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 addresses this issue by introducing proper input validation and sanitization of path parameters within the REST API file handling code. This remediation aligns with security best practices outlined in CWE-22 Path Traversal and CWE-73 Arbitrary File Write, which are commonly referenced in vulnerability assessments. Organizations should consider implementing network segmentation to limit exposure of Flink instances and ensure that only authorized users can access the REST endpoints, following ATT&CK techniques related to privilege escalation through file system manipulation.
Organizations utilizing affected Apache Flink versions must prioritize upgrading to patched releases 1.11.3 or 1.12.0 to mitigate this vulnerability. The upgrade process should include comprehensive testing of existing workflows and configurations to ensure compatibility with the fixed version. Additionally, security teams should conduct thorough reviews of file system permissions for Flink service accounts, implementing least privilege principles to minimize potential impact from any remaining vulnerabilities in the broader system architecture.