In early 2021, an access control error in Apache Flink was addressed and has since been added to the CISA Known Exploited Vulnerabilities (KEV) directory. This indicates that cybercriminals are actively exploiting the vulnerability to target victims.
Apache Flink is a popular open-source data streaming and processing platform supported by the Apache Software Foundation.
The vulnerability, known as CVE-2020-17519 (CVSS: 7.5), involves improper access control, allowing attackers to read any file in the local file system Jobmanager via the REST interface. The vulnerability affects Apache Flink version 1.11.0, as well as versions 1.11.1 and 1.11.2.
Apache promptly addressed the vulnerability in versions 1.1.3 and 1.12.0. However, security researchers published proof-of-concept code shortly after. Despite this, federal agencies and other organizations continue to use the vulnerable versions, leading to active exploitation by criminals.
While CISA did not disclose specific details about the vulnerability and exploitation cases, the error status in the database is classified as “unknown.” It remains unclear who is abusing the vulnerability and for what purpose. However, the Palo Alto Networks Unit 42 unit cautioned about widespread exploitation from November 2020 to January 2021.
The inclusion of the vulnerability in the catalogue requires federal agencies to either patch the issue or cease using the tool by June 13. Users are urged to ensure they have the necessary updates and to check for potential compromises through this vulnerability. Although the active exploitation of the error has only recently come to light, it could have been utilized earlier.