Apache Flink Directory Traversal Vulnerability (CVE-2020-17518 and CVE-2020-17519)

Jan 06, 2021 GMT+08:00

I. Overview

Apache Flink has released a security notice, disclosing the directory traversal vulnerabilities (CVE-2020-17518 and CVE-2020-17519) in some versions. Attackers can exploit these vulnerabilities to read and write any file through REST APIs. Apache Flink is a distributed, open-source computing framework for data stream and batch data processing. If you are an Apache Flink user, check your system and implement timely security hardening.

References:

https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

CVE-2020-17518: Flink 1.5.1–1.11.2

CVE-2020-17519: Flink 1.11.0, 1.11.1, 1.11.2

Secure versions:

Flink 1.11.3 or 1.12.0

IV. Vulnerability Handling

These vulnerabilities have been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://flink.apache.org/downloads.html

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.