[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-35936: Apache Airflow: No Authentication on Logging Server
From: Kaxil Naik <kaxilnaik () apache ! org>
Date: 2021-08-13 12:20:03
Message-ID: 7b76d2e2-1438-b059-0e65-a2986c815f76 () apache ! org
[Download RAW message or body]
Description:
If remote logging is not used, the worker (in the case of CeleryExecutor) =
or the scheduler (in the case of LocalExecutor) runs a Flask logging server=
and is listening on a specific port and also binds on 0.0.0.0 by default.
This logging server had no authentication and allows reading log files of =
DAG jobs.
This issue affects Apache Airflow < 2.1.2.
Mitigation:
Use remote logging with GCS, S3, Elasticsearch etc. This is recommended for=
production environments.
And do not publicly expose any other ports apart from Webserver port, =
Flower port etc.
Credit:
Apache Airflow would like to thank Dolev Farhi for reporting this issue.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic