Thu. Dec 12th, 2019

[Unpatch] Apache Flink remote code execution vulnerability alert

1 min read

Recently, the security team found the Apache Flink arbitrary Jar package to upload the attack data that caused the remote code execution vulnerability. The attacker can use this vulnerability to upload any Jar package in the Apache Flink Dashboard page and use Metasploit to execute arbitrary code in the Apache Flink server.

Apache Flink is an open-source stream-processing framework developed by the Apache Software Foundation. The core of Apache Flink is a distributed streaming data-flow engine written in Java and Scala. Flink executes arbitrary dataflow programs in a data-parallel and pipelined manner. Flink’s pipelined runtime system enables the execution of bulk/batch and stream processing programs. Furthermore, Flink’s runtime supports the execution of iterative algorithms natively.

The attacker can use this vulnerability to upload any Jar package in the Apache Flink Dashboard page, and then use Metasploit to execute arbitrary code in the Apache Flink server to obtain the highest authority of the server.

Affected version

  • All Apache Flink version

Solution

The vulnerability has not yet released security updates and solutions. The affected users should pay attention to the Apache Flink official website in real-time to obtain the latest patch of the vulnerability.