Warning: Combination of existing vulnerabilities in Apache Airflow version 1.10.10 can lead to unauthenticated Remote Code Execution. Verify your systems and update!
- CVE-2020-11978
- CVSS Score: 8.8 HIGH
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVE-2020-13927
- CVSS Score: 9.8 CRITICAL
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Sources
CVE-2020-11978: https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx
CVE-2020-13927: https://lists.apache.org/thread/mq1bpqf3ztg1nhyc5qbrjobfrzttwx1d
Risks
A Metasploit module has become available combining critical vulnerabilities CVE-2020-11978 and CVE-2020-13927 which allows for vulnerable DAG (Directed Acyclic Graph) creation and command injection in Apache Airflow version 1.10.10.
As Apache is widely used, the Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyze system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends system administrators to upgrade to the latest version of Apache Airflow.