Vulnerabilities Details

  • Home
  • Vulnerabilities Details
ZMC-2021.08.16.1500

ZMC-2021.08.16.1500

Apache Airflow: Multiple vulnerabilities

Operating System:

[WIN][UNIX/LINUX]

Published:

16th August 2021

VulnerabilitiesZMC-2021.08.16.1500 


===========================================================================
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2021.08.16.1500
                     Apache Airflow: Multiple vulnerabilities
                               16th August 2021

===========================================================================

Product:           Apache Airflow
Publisher:         Apache Software Foundation
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Unknown/Unspecified
                   Reduced Security         -- Unknown/Unspecified
Resolution:        Mitigation
CVE Names:         CVE-2021-35936  

Original Bulletin: 
   https://mail-archives.apache.org/mod_mbox/www-announce/202108.mbox/%3Cd998842d-fdb2-8f73-ca56-aaa43d55d057%40apache.org%3E


Description:

If remote logging is not used, the worker (in the case of CeleryExecutor) =
or the scheduler (in the case of LocalExecutor) runs a Flask logging server=
 and is listening on a specific port and also binds on 0.0.0.0 by default.
This logging server had no authentication and allows reading log files of =
DAG jobs.

This issue affects Apache Airflow  2.1.2.

Mitigation:

Use remote logging with GCS, S3, Elasticsearch etc. This is recommended for=
 production environments.

And do not publicly expose any other ports apart from Webserver port, =
Flower port etc.

Credit:

Apache Airflow would like to thank Dolev Farhi for reporting this issue.



 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================

Copyright @2023 ZAMBIA CIRT