Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2820 Multiple vulnerabilities in Apache Airflow 8 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiAnalyzer Publisher: Fortinet Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-35936 CVE-2021-28359 CVE-2021-23336 CVE-2020-17526 CVE-2020-17515 CVE-2020-17513 CVE-2020-13944 CVE-2020-13927 CVE-2020-11982 CVE-2020-11981 Original Bulletin: https://fortiguard.fortinet.com/psirt/FG-IR-22-008 Comment: CVSS (Max): 9.0 CVE-2020-13927 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Fortinet Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple vulnerabilities in Apache Airflow IR Number : FG-IR-22-008 Date : Jun 7, 2022 Severity : Critical CVSSv3 Score : 9 Impact : Improper access control, Execute unauthorized code or commands CVE ID : CVE-2020-13927 Affected Products: FortiAnalyzer : 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0 Summary Security advisories were released affecting the version of Apache Airflow library used in some Fortinet products: CVE-2020-13927: The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/ 1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api] auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md# experimental-api-will-deny-all-request-by-default CVE-2020-11982: An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker. CVE-2020-11981: An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. CVE-2021-35936: If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2. CVE-2021-28359: The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). CVE-2020-17526: Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. CVE-2020-17513: In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. Affected Products FortiAnalyzer version 7.0.2 and below. FortiAnalyzer version 6.4.7 and below. Other Fortinet products do not use the Apache Airflow library. Solutions Please upgrade to FortiAnalyzer version 7.0.3 or above. Please upgrade to FortiAnalyzer version 6.4.8 or above. References o https://nvd.nist.gov/vuln/detail/CVE-2020-13927 o https://nvd.nist.gov/vuln/detail/CVE-2020-11982 o https://nvd.nist.gov/vuln/detail/CVE-2020-11981 o https://nvd.nist.gov/vuln/detail/CVE-2021-35936 o https://nvd.nist.gov/vuln/detail/CVE-2021-28359 o https://nvd.nist.gov/vuln/detail/CVE-2020-17526 o https://nvd.nist.gov/vuln/detail/CVE-2020-17513 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYqAuackNZI30y1K9AQjxAQ//enXcRplFYu+8cttW76LEejhSdiHWmbz4 pZbbV7lWrjQL2Atmg6o0ruGHUHYBtpVGSTSjuFgZioL9CwV0eGPURnmWfxcjAg5T maUiYRirQjCirSHrZ8/l7Kzq9GNY1+X6OrV/+Ki824k/4rOvSQRHpjx7YaHu7wQO nByne/vKOQUARHHtIh0ayRmxAf/0kLp38bykupTeNB9oGPDwujM0n2G+wE7rDpD1 N9NEgLAkdPCUup2FHQfkuNX7TTRd81MsO09S8ztHkDM6cKJiLnrqt6b7LWo/rruZ k943KKmLhIbfTlP0zn/biBAYH/6L4fKtXlvW8bHGKw804vPbPYWQCoRaLtkzCkPN mMz8vkAWgWidxAheJL/9U32l3VQYQWA3M45kr5G1nOKZmoY0jB38Z88beeqd14Z1 rONFbaUb/CXqRf6LmjeIvWcI0F1fFn0ViaS3P0y1jkODiH/gtx5ZFSS+vLbc3T9g UvJFlZ04OqPZh2Sl2Js34e34JrtH05QwRY2HFHzZ+cR5lRmUUtatjBqbDzA1rizJ WUKXem3KcmUvjJyOm3AKxTVJjHHqoq7P+MXDD0Njzzq9ZGH6s+/hVG99KtMauuPI ZpugU16+erTbpycVh+Kl/lM3dqV0hB4m4IWbSfBGoa6RGzQXmpNVoZfGepHVgpSa wrymD1x6YJM= =E0jX -----END PGP SIGNATURE-----