CVE-2024-34457 – This vulnerability in Apache Flink allows authe... (How to Fix)

Q: What is the severity of CVE-2024-34457?

CVE-2024-34457 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Apache Flink allows authenticated regular users to bypass authorization controls and access sensitive user information they shouldn't have permission to view. After successful login, users can manually craft requests using their authorization token to view all users' Flink information including executeSQL and config data. This affects all Apache Flink deployments running versions before 2.1.4.

📋 TL;DR

This vulnerability in Apache Flink allows authenticated regular users to bypass authorization controls and access sensitive user information they shouldn't have permission to view. After successful login, users can manually craft requests using their authorization token to view all users' Flink information including executeSQL and config data. This affects all Apache Flink deployments running versions before 2.1.4.

💻 Affected Systems

Products:

Apache Flink

Versions: All versions before 2.1.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments where regular user authentication is enabled. The vulnerability exists in the authorization mechanism regardless of specific configuration settings.

📦 What is this software?

Streampark by Apache

View all CVEs affecting Streampark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could access sensitive configuration data and SQL execution information from all users, potentially leading to data exposure, privilege escalation, or further system compromise.

🟠

Likely Case

Regular users accidentally or intentionally accessing other users' Flink information, exposing sensitive operational data and potentially violating data privacy regulations.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to authorized users within the same security zone, but sensitive data exposure still occurs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user credentials and involves manually crafting HTTP requests with authorization tokens. No public exploit code has been identified in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.4

Vendor Advisory: https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j

Restart Required: Yes

Instructions:

1. Download Apache Flink 2.1.4 from the official Apache website. 2. Stop all Flink services. 3. Backup your current configuration and data. 4. Replace the Flink installation with version 2.1.4. 5. Restore your configuration. 6. Restart all Flink services.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Flink management interfaces to only trusted administrative networks

Enhanced Monitoring

all

Implement detailed logging and monitoring of user access to Flink APIs to detect unauthorized access attempts

🧯 If You Can't Patch

Implement strict network segmentation to isolate Flink management interfaces from regular user networks
Deploy a web application firewall (WAF) with custom rules to detect and block unauthorized API requests to user information endpoints

🔍 How to Verify

Check if Vulnerable:

Check the Flink version by examining the installation directory or running 'flink --version' command. If version is below 2.1.4, the system is vulnerable.

Check Version:

flink --version

Verify Fix Applied:

After upgrading, verify the version shows 2.1.4 or higher using 'flink --version'. Test that regular users can no longer access other users' Flink information through API requests.

📡 Detection & Monitoring

Log Indicators:

Multiple unauthorized API requests to user information endpoints from single user accounts
Access patterns showing users accessing other users' Flink data

Network Indicators:

Unusual API call patterns to /jobs/overview or similar endpoints from non-admin users
Multiple GET requests to user-specific endpoints from single IPs

SIEM Query:

source="flink-logs" AND (uri_path="/jobs/*" OR uri_path="/config*") AND user_role="regular" AND count by user_id > threshold

📊 Metadata

CVE ID: CVE-2024-34457

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

Published: July 22, 2024

Last Updated: November 21, 2024

🔗 References

https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j Mailing List,Vendor Advisory
https://www.openwall.com/lists/oss-security/2024/07/22/2
http://www.openwall.com/lists/oss-security/2024/07/22/2
https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34457, you might also want to check these: