A dangerous Apache Flink flaw has resurfaced, and is being actively exploited

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, thus warning federal agencies that hackers are actively exploiting it to compromise devices without endpoint protection.

The vulnerability in question is an improper access control flaw first found in Apache Flink back in January 2021.

Apache Flink is an open source stream-processing framework developed and maintained by the Apache Software Foundation. It is designed to process large volumes of data in real time with low latency and high throughput.

A deadline for patching

The flaw is tracked as CVE-2020-17519. It was discovered in early January 2021, and was never given a specific severity score. 

Still, the Apache Software Foundation fixed it in a timely manner, by applying a fix. Vulnerable versions include Flink 1.11.0, 1.11.1, and 1.11.2. Fixed versions are 1.11.3, and 1.12.0. 

“A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process,” the Apache Software Foundation explained at the time. “Access is restricted to files accessible by the JobManager process.”

Adding the bug to the KEV, CISA also gave federal agencies a deadline by which they should either apply the patch, or stop using the vulnerable software altogether - June 13. Obviously, firms in the private sector should do the same, as hackers rarely skip a potential target, regardless of the industry it is in. 

Unfortunately, CISA did not share additional details about the vulnerability or its exploiters, so we don’t know who the threat actors are, or who the victims might be. We also don’t know how many firms may have been compromised this way already, or what the attackers are using it for. 

Via The Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.