Plattform
python
Komponente
apache-airflow
Behoben in
2.1.3
2.1.3
CVE-2021-38540 is a critical remote code execution (RCE) vulnerability affecting Apache Airflow versions 2.0.0 and prior to 2.1.3. The variable import endpoint lacked authentication, allowing unauthorized users to manipulate Airflow variables used within Directed Acyclic Graphs (DAGs). This manipulation can lead to denial of service, information disclosure, and, critically, remote code execution.
The primary impact of CVE-2021-38540 is the potential for remote code execution. An attacker could leverage this vulnerability to inject malicious code into Airflow variables, which would then be executed as part of DAG runs. This could allow them to gain control of the Airflow infrastructure and potentially the underlying systems. The lack of authentication on the variable import endpoint makes exploitation relatively straightforward. Successful exploitation could lead to data breaches, system compromise, and disruption of critical workflows managed by Airflow. This vulnerability shares similarities with other insecure API endpoint exposures, where lack of authentication allows unauthorized access and manipulation of sensitive data or system functions.
CVE-2021-38540 was publicly disclosed on May 24, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA's KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of remote code execution.
Organizations heavily reliant on Apache Airflow for orchestrating complex workflows are at significant risk. Specifically, deployments with publicly accessible Airflow instances or those lacking robust network segmentation are particularly vulnerable. Airflow installations using older versions (prior to 2.1.3) and those with limited security monitoring are also at heightened risk.
• python / airflow:
import requests
import json
url = "http://<airflow_host>/api/v1/variables/import"
headers = {'Content-Type': 'application/json'}
data = {'key': 'test_variable', 'value': 'malicious_code'}
try:
response = requests.post(url, headers=headers, data=json.dumps(data))
print(f"Response Status Code: {response.status_code}")
print(f"Response Content: {response.content}")
except requests.exceptions.RequestException as e:
print(f"Error: {e}")• linux / server: Monitor Airflow logs for unusual variable import activity or errors related to variable manipulation. Use journalctl -u airflow to filter for relevant log entries.
• generic web: Check Airflow server access logs for requests to /api/v1/variables/import originating from unexpected IP addresses or user agents.
disclosure
patch
Exploit-Status
EPSS
91.78% (100% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-38540 is to upgrade Apache Airflow to version 2.1.3 or later, which includes the necessary authentication protections. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the variable import endpoint ( /api/v1/variables/import ) using a firewall or network segmentation. Implement a Web Application Firewall (WAF) rule to block unauthorized access to this endpoint. Carefully review and audit existing Airflow variables to identify any suspicious or unexpected values. After upgrading, confirm the fix by attempting to access the /api/v1/variables/import endpoint without authentication and verifying that access is denied.
Aktualisieren Sie Apache Airflow auf Version 2.1.3 oder höher. Dies behebt die fehlende Authentifizierung am Variable-Import-Endpunkt und verhindert unautorisierten Zugriff und mögliche Angriffe. Die Aktualisierung kann über pip oder die bevorzugte Installationsmethode durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-38540 is a critical vulnerability in Apache Airflow versions 2.0.0 to 2.1.3 where unauthenticated users can modify Airflow variables, potentially leading to remote code execution.
You are affected if you are running Apache Airflow versions 2.0.0 through 2.1.3. Upgrade to 2.1.3 or later to resolve the issue.
The recommended fix is to upgrade Apache Airflow to version 2.1.3 or later. As a temporary workaround, restrict network access to the variable import endpoint.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-priority target.
You can find the official advisory on the Apache Airflow website: https://airflow.apache.org/2021/05/24/security-vulnerability-in-apache-airflow.html
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.