CVE-2023-35797
📋 TL;DR
This vulnerability allows attackers to bypass security checks and achieve remote code execution (RCE) in Apache Airflow Hive Provider by exploiting improper input validation in the principal parameter. It affects organizations using Apache Airflow with Hive Provider before version 6.1.1. Exploitation requires access to modify connection details, typically meaning authenticated users or attackers who have compromised user credentials.
💻 Affected Systems
- Apache Airflow Hive Provider
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the Airflow server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Privilege escalation leading to unauthorized access to sensitive data, disruption of data pipelines, and potential compromise of connected systems.
If Mitigated
Limited impact with proper access controls preventing unauthorized connection modifications, though vulnerability remains present.
🎯 Exploit Status
Exploitation requires authenticated access to modify connection details. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.1
Vendor Advisory: https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y
Restart Required: Yes
Instructions:
1. Update Apache Airflow Hive Provider to version 6.1.1 or later using pip: pip install --upgrade apache-airflow-providers-apache-hive>=6.1.1. 2. Restart all Airflow services (webserver, scheduler, workers). 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Connection Modification Access
allLimit which users can modify Hive connection details in Airflow to only trusted administrators.
Network Segmentation
allIsolate Airflow instances from sensitive systems and implement strict network access controls.
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from modifying connection details.
- Monitor for suspicious activity related to connection modifications and principal parameter changes.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of apache-airflow-providers-apache-hive package. If version is below 6.1.1, the system is vulnerable.Check Version:
pip show apache-airflow-providers-apache-hive | grep VersionVerify Fix Applied:
Confirm that apache-airflow-providers-apache-hive version is 6.1.1 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to Hive connection configurations
- Unusual principal parameter values in connection updates
- Failed authentication attempts followed by connection modifications
Network Indicators:
- Unexpected outbound connections from Airflow servers
- Suspicious command and control traffic
SIEM Query:
source="airflow" AND (event="connection_modified" OR event="connection_updated") AND principal=*🔗 References
- http://www.openwall.com/lists/oss-security/2023/07/12/3
- https://github.com/apache/airflow/pull/31983
- https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y
- http://www.openwall.com/lists/oss-security/2023/07/12/3
- https://github.com/apache/airflow/pull/31983
- https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y
