Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

A dangerous Apache Flink flaw has resurfaced, and is being actively exploited

Red padlock open on electric circuits network dark red background.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, thus warning federal agencies that hackers are actively exploiting it to compromise devices without endpoint protection.

The vulnerability in question is an improper access control flaw first found in Apache Flink back in January 2021.

Apache Flink is an open source stream-processing framework developed and maintained by the Apache Software Foundation. It is designed to process large volumes of data in real time with low latency and high throughput.

A deadline for patching

The flaw is tracked as CVE-2020-17519. It was discovered in early January 2021, and was never given a specific severity score. 

Still, the Apache Software Foundation fixed it in a timely manner, by applying a fix. Vulnerable versions include Flink 1.11.0, 1.11.1, and 1.11.2. Fixed versions are 1.11.3, and 1.12.0. 

“A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process,” the Apache Software Foundation explained at the time. “Access is restricted to files accessible by the JobManager process.”

Adding the bug to the KEV, CISA also gave federal agencies a deadline by which they should either apply the patch, or stop using the vulnerable software altogether - June 13. Obviously, firms in the private sector should do the same, as hackers rarely skip a potential target, regardless of the industry it is in. 

Unfortunately, CISA did not share additional details about the vulnerability or its exploiters, so we don’t know who the threat actors are, or who the victims might be. We also don’t know how many firms may have been compromised this way already, or what the attackers are using it for. 

Via The Register

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.