Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2820
Multiple vulnerabilities in Apache Airflow
8 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiAnalyzer
Publisher: Fortinet
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-35936 CVE-2021-28359 CVE-2021-23336
CVE-2020-17526 CVE-2020-17515 CVE-2020-17513
CVE-2020-13944 CVE-2020-13927 CVE-2020-11982
CVE-2020-11981
Original Bulletin:
https://fortiguard.fortinet.com/psirt/FG-IR-22-008
Comment: CVSS (Max): 9.0 CVE-2020-13927 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Fortinet
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in Apache Airflow
IR Number : FG-IR-22-008
Date : Jun 7, 2022
Severity : Critical
CVSSv3 Score : 9
Impact : Improper access control, Execute unauthorized code or commands
CVE ID : CVE-2020-13927
Affected Products:
FortiAnalyzer : 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0
Summary
Security advisories were released affecting the version of Apache Airflow
library used in some Fortinet products:
CVE-2020-13927:
The previous default setting for Airflow's Experimental API was to allow all
API requests without authentication, but this poses security risks to users who
miss this fact. From Airflow 1.10.11 the default has been changed to deny all
requests by default and is documented at https://airflow.apache.org/docs/
1.10.11/security.html#api-authentication. Note this change fixes it for new
installs but existing users need to change their config to default `[api]
auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating
Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#
experimental-api-will-deny-all-request-by-default
CVE-2020-11982:
An issue was found in Apache Airflow versions 1.10.10 and below. When using
CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ)
directly, it was possible to insert a malicious payload directly to the broker
which could lead to a deserialization attack (and thus remote code execution)
on the Worker.
CVE-2020-11981:
An issue was found in Apache Airflow versions 1.10.10 and below. When using
CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ)
directly, it is possible to inject commands, resulting in the celery worker
running arbitrary commands.
CVE-2021-35936:
If remote logging is not used, the worker (in the case of CeleryExecutor) or
the scheduler (in the case of LocalExecutor) runs a Flask logging server and is
listening on a specific port and also binds on 0.0.0.0 by default. This logging
server had no authentication and allows reading log files of DAG jobs. This
issue affects Apache Airflow < 2.1.2.
CVE-2021-28359:
The "origin" parameter passed to some of the endpoints like '/trigger' was
vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15
in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as
CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue
completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python
version to the latest available PATCH releases of the installed MINOR versions,
example update to Python 3.6.13 if you are on Python 3.6. (Those contain the
fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
CVE-2020-17526:
Incorrect Session Validation in Apache Airflow Webserver versions prior to
1.10.14 with default config allows a malicious airflow user on site A where
they log in normally, to access unauthorized Airflow Webserver on Site B
through the session from Site A. This does not affect users who have changed
the default value for `[webserver] secret_key` config.
CVE-2020-17513:
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the
old (Flask-admin based) UI were vulnerable for SSRF attack.
Affected Products
FortiAnalyzer version 7.0.2 and below.
FortiAnalyzer version 6.4.7 and below.
Other Fortinet products do not use the Apache Airflow library.
Solutions
Please upgrade to FortiAnalyzer version 7.0.3 or above.
Please upgrade to FortiAnalyzer version 6.4.8 or above.
References
o https://nvd.nist.gov/vuln/detail/CVE-2020-13927
o https://nvd.nist.gov/vuln/detail/CVE-2020-11982
o https://nvd.nist.gov/vuln/detail/CVE-2020-11981
o https://nvd.nist.gov/vuln/detail/CVE-2021-35936
o https://nvd.nist.gov/vuln/detail/CVE-2021-28359
o https://nvd.nist.gov/vuln/detail/CVE-2020-17526
o https://nvd.nist.gov/vuln/detail/CVE-2020-17513
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYqAuackNZI30y1K9AQjxAQ//enXcRplFYu+8cttW76LEejhSdiHWmbz4
pZbbV7lWrjQL2Atmg6o0ruGHUHYBtpVGSTSjuFgZioL9CwV0eGPURnmWfxcjAg5T
maUiYRirQjCirSHrZ8/l7Kzq9GNY1+X6OrV/+Ki824k/4rOvSQRHpjx7YaHu7wQO
nByne/vKOQUARHHtIh0ayRmxAf/0kLp38bykupTeNB9oGPDwujM0n2G+wE7rDpD1
N9NEgLAkdPCUup2FHQfkuNX7TTRd81MsO09S8ztHkDM6cKJiLnrqt6b7LWo/rruZ
k943KKmLhIbfTlP0zn/biBAYH/6L4fKtXlvW8bHGKw804vPbPYWQCoRaLtkzCkPN
mMz8vkAWgWidxAheJL/9U32l3VQYQWA3M45kr5G1nOKZmoY0jB38Z88beeqd14Z1
rONFbaUb/CXqRf6LmjeIvWcI0F1fFn0ViaS3P0y1jkODiH/gtx5ZFSS+vLbc3T9g
UvJFlZ04OqPZh2Sl2Js34e34JrtH05QwRY2HFHzZ+cR5lRmUUtatjBqbDzA1rizJ
WUKXem3KcmUvjJyOm3AKxTVJjHHqoq7P+MXDD0Njzzq9ZGH6s+/hVG99KtMauuPI
ZpugU16+erTbpycVh+Kl/lM3dqV0hB4m4IWbSfBGoa6RGzQXmpNVoZfGepHVgpSa
wrymD1x6YJM=
=E0jX
-----END PGP SIGNATURE-----