Plateforme
python
Composant
apache-airflow
Corrigé dans
2.1.3
2.1.3
CVE-2021-38540 is a critical remote code execution (RCE) vulnerability affecting Apache Airflow versions 2.0.0 and prior to 2.1.3. The variable import endpoint lacked authentication, allowing unauthorized users to manipulate Airflow variables used within Directed Acyclic Graphs (DAGs). This manipulation can lead to denial of service, information disclosure, and, critically, remote code execution.
The primary impact of CVE-2021-38540 is the potential for remote code execution. An attacker could leverage this vulnerability to inject malicious code into Airflow variables, which would then be executed as part of DAG runs. This could allow them to gain control of the Airflow infrastructure and potentially the underlying systems. The lack of authentication on the variable import endpoint makes exploitation relatively straightforward. Successful exploitation could lead to data breaches, system compromise, and disruption of critical workflows managed by Airflow. This vulnerability shares similarities with other insecure API endpoint exposures, where lack of authentication allows unauthorized access and manipulation of sensitive data or system functions.
CVE-2021-38540 was publicly disclosed on May 24, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA's KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of remote code execution.
Organizations heavily reliant on Apache Airflow for orchestrating complex workflows are at significant risk. Specifically, deployments with publicly accessible Airflow instances or those lacking robust network segmentation are particularly vulnerable. Airflow installations using older versions (prior to 2.1.3) and those with limited security monitoring are also at heightened risk.
• python / airflow:
import requests
import json
url = "http://<airflow_host>/api/v1/variables/import"
headers = {'Content-Type': 'application/json'}
data = {'key': 'test_variable', 'value': 'malicious_code'}
try:
response = requests.post(url, headers=headers, data=json.dumps(data))
print(f"Response Status Code: {response.status_code}")
print(f"Response Content: {response.content}")
except requests.exceptions.RequestException as e:
print(f"Error: {e}")• linux / server: Monitor Airflow logs for unusual variable import activity or errors related to variable manipulation. Use journalctl -u airflow to filter for relevant log entries.
• generic web: Check Airflow server access logs for requests to /api/v1/variables/import originating from unexpected IP addresses or user agents.
disclosure
patch
Statut de l'Exploit
EPSS
91.78% (percentile 100%)
Vecteur CVSS
The primary mitigation for CVE-2021-38540 is to upgrade Apache Airflow to version 2.1.3 or later, which includes the necessary authentication protections. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the variable import endpoint ( /api/v1/variables/import ) using a firewall or network segmentation. Implement a Web Application Firewall (WAF) rule to block unauthorized access to this endpoint. Carefully review and audit existing Airflow variables to identify any suspicious or unexpected values. After upgrading, confirm the fix by attempting to access the /api/v1/variables/import endpoint without authentication and verifying that access is denied.
Mettez à jour Apache Airflow à la version 2.1.3 ou supérieure. Cela corrige le manque d'authentification sur le point de terminaison d'importation de variables, empêchant ainsi l'accès non autorisé et les attaques potentielles. La mise à jour peut être effectuée via pip ou la méthode d'installation préférée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2021-38540 is a critical vulnerability in Apache Airflow versions 2.0.0 to 2.1.3 where unauthenticated users can modify Airflow variables, potentially leading to remote code execution.
You are affected if you are running Apache Airflow versions 2.0.0 through 2.1.3. Upgrade to 2.1.3 or later to resolve the issue.
The recommended fix is to upgrade Apache Airflow to version 2.1.3 or later. As a temporary workaround, restrict network access to the variable import endpoint.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-priority target.
You can find the official advisory on the Apache Airflow website: https://airflow.apache.org/2021/05/24/security-vulnerability-in-apache-airflow.html
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.