www.belgium.be Logo of the federal government

Warning: Vulnerability Exposing Sensitive Configuration Variables In Apache Airflow, Patch Immediately!

Referentie: 
Advisory #2024-268
Versie: 
1.0
Geïmpacteerde software: 
Apache Airflow <2.10.3
Type: 
Debug Messages Revealing Unnecessary Information (CWE-1295)
CVE/CVSS: 

CVE-2024-45784: CVSS 7.5(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Bronnen

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45784

Risico’s

Apache Airflow is an open-source workflow management platform used to automate, schedule, and monitor complex workflows. Prior to version 2.10.3, it contains a vulnerability that can expose configuration variables in its task logs. This exposure of sensitive information has a high impact on confidentiality.

These logs could then be accessed by unauthorized users, who can possibly use this crucial information to help in successfully compromising the system.

Beschrijving

CVE-2024-45784, CVSS 7.5

A DAG (Directed Acyclic Graph) is the way how different tasks are organized together within Apache Airflow. With this vulnerability, authors of DAGs could unintentionally log sensitive information used in its tasks such as API keys and other credentials. As this logged information is not masked and accessible to unauthenticated users if not additionally protected, it has a high impact on confidentiality. This information can also be used for further exploitation.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerability is patched in versions >=2.10.3 now that secrets are being masked.

It is also highly recommended to change any possibly exposed secrets.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

Vendor advsiory: https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
GitHub repository: https://github.com/apache/airflow/