CVE-2024-45784
📋 TL;DR
Apache Airflow versions before 2.10.3 contain a vulnerability where sensitive configuration variables (secrets) can be exposed in task logs. This allows unauthorized users who can access logs to potentially obtain critical data like API keys, database credentials, or other secrets. DAG authors and administrators of affected Airflow deployments are impacted.
💻 Affected Systems
- Apache Airflow
📦 What is this software?
Airflow by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive secrets (API keys, database passwords, encryption keys) from logs, leading to complete compromise of the Airflow deployment, data exfiltration, or lateral movement to connected systems.
Likely Case
Unauthorized internal users or attackers with log access discover exposed secrets, potentially compromising specific services or data tied to those credentials.
If Mitigated
With proper log access controls and monitoring, exposure is limited, but secrets in logs still pose a risk if logs are breached.
🎯 Exploit Status
Exploitation requires access to task logs, which typically needs some level of authorization or misconfiguration. No public proof-of-concept is known, but the vulnerability is straightforward to trigger if logs are accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.3 or later
Vendor Advisory: https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
Restart Required: Yes
Instructions:
1. Backup your Airflow deployment and data. 2. Upgrade Apache Airflow to version 2.10.3 or the latest stable release using pip: 'pip install --upgrade apache-airflow==2.10.3'. 3. Restart the Airflow services (webserver, scheduler, workers). 4. Verify the upgrade and test DAGs for functionality.
🔧 Temporary Workarounds
Restrict Log Access
linuxLimit access to Airflow task logs to authorized personnel only, using file permissions, network controls, or log management tools.
chmod 640 /path/to/airflow/logs/*
setfacl -m u:airflowuser:r /path/to/airflow/logs
Monitor Logs for Secrets
allImplement log monitoring to detect and alert on potential exposure of sensitive patterns (e.g., API keys, passwords) in Airflow logs.
grep -E 'password|secret|key|token' /path/to/airflow/logs/*.log
🧯 If You Can't Patch
- Rotate all secrets and credentials that might have been logged in Airflow task logs to invalidate any exposed data.
- Enforce strict access controls on log storage and review DAG code to remove or secure any logging of sensitive variables.
🔍 How to Verify
Check if Vulnerable:
Check the Apache Airflow version installed. If it is below 2.10.3, the system is vulnerable. Review task logs for any sensitive data exposure.Check Version:
airflow versionVerify Fix Applied:
After upgrading to 2.10.3 or later, verify that secrets are masked in new task logs by checking log entries for obscured values (e.g., '***').📡 Detection & Monitoring
Log Indicators:
- Plaintext secrets (e.g., passwords, API keys) appearing in Airflow task log files, especially in DAG execution logs.
Network Indicators:
- Unusual access patterns to log files or endpoints, such as repeated requests to log APIs from unauthorized sources.
SIEM Query:
source="airflow_logs" AND ("password" OR "secret" OR "key" OR "token")