Three-year-old Apache Flink flaw under active attack

An improper access control bug in Apache Flink that was fixed in January 2021 has been added to the US government's Known Exploited Vulnerabilities Catalog, meaning criminals are right now abusing the flaw in the wild to compromise targets.

Plus, its inclusion in the catalog means federal agencies need to either close the hole in their deployments of the software or stop using the tool altogether by June 13. Everyone else should make sure they are patched, too.

Everyone should also check to see if they've been compromised via the vulnerability, if possible. Though it's known now that the bug is being exploited in the wild, it may have been abused earlier.

Flink is an open source, stream- and batch-processing framework maintained by the Apache Software Foundation. This particular bug, tracked as CVE-2020-17519, could allow snoops to gain access to sensitive data.

"A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process," Flink project maintainer Robert Metzger noted just over three years ago. 

Apache addressed the issue with versions 1.11.3 and 1.12.0. Shortly after, security researchers published exploit code. And now, here we are in May 2024 with federal agencies and other organizations still using insecure versions and criminals circling the CVE.

Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA), which added CVE-2020-17519 to the government's Known Exploited Vulnerabilities catalog on Thursday, doesn't provide much detail. While the database does note if a particular bug that's under exploit is known to be used in ransomware campaigns, this flaw's status is currently listed as "unknown." We don't know who is abusing the bug at this point, nor for what nefarious purposes.

• Veeam says critical flaw can't be abused to trash backups
• GitHub Enterprise Server patches 10-outta-10 critical hole
• Here's yet more ransomware using BitLocker against Microsoft's own users
• Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in

As with all bugs added to the catalog, the Homeland Security agency warns: "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Plus, as The Reg would like to humbly point out: CVE-2020-17519 illustrates the importance of patching installations, or at least having good software inventory databases. See the 2020 in the name? That's when it was spotted and disclosed to the Flink maintainers by a helpful researcher who goes by 0rich1 from Ant Security FG Lab.

But simply fixing flaws in newer versions of software, open- and closed-source alike, does no good if users don't upgrade or update – or don't know they need to update. This brings us to where we are today, with government agencies and bug hunters screaming into the wind about writing secure code and applying patches in a timely manner.

That crooks are exploiting known holes isn't surprising; it would be worthwhile instead at this stage to focus on what's holding back patching, and what can be done to automate or ease it. ®