The Apache Flink flaw is back and being actively exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning federal agencies that hackers are actively exploiting it to compromise devices without endpoint protection.
The vulnerability in question is an inappropriate access control flaw found in Apache Flink in January 2021.
Apache Flink is an open-source stream processing framework developed and maintained by the Apache Software Foundation. It is designed to process large amounts of data in real time with low latency and high throughput.
A deadline for patching
The flaw is tracked as CVE-2020-17519. It was discovered in early January 2021 and was never given a specific severity rating.
Still, the Apache Software Foundation resolved the issue in a timely manner by applying a workaround. The register reports. Vulnerable versions include Flink 1.11.0, 1.11.1 and 1.11.2. Fixed versions are 1.11.3 and 1.12.0.
βA change introduced in Apache Flink 1.11.0 (and also released in 1.11.1 and 1.11.2) allows attackers to read any file on the JobManager’s local file system via the REST interface of the JobManager process,β according to Apache Software. Foundation explained at the time. βAccess is limited to files accessible through the JobManager process.β
By adding the bug to the KEV, CISA also gave federal agencies a deadline by which they must either apply the patch or stop using the vulnerable software altogether β June 13. Clearly, private sector companies should do the same, as hackers rarely miss this. a potential target regardless of the sector it is in.
Unfortunately, CISA has not shared any additional details about the vulnerability or its exploiters, so we don’t know who the threat actors are, or who the victims might be. We also don’t know how many companies have already been hacked in this way, or what the attackers are using it for.