[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task h
From: Jarek Potiuk <potiuk () apache ! org>
Date: 2024-03-26 14:33:16
Message-ID: 5935a3d4-2b6c-b71d-c934-a43da9297880 () apache ! org
[Download RAW message or body]
Severity: important
Affected versions:
- Apache Airflow 2.8.2 through 2.8.3
Description:
Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache \
Airflow from 2.8.2 through 2.8.3.
Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders \
of log folder, in default configuration adding write access to Unix group of the folders. In \
the case Airflow is run with the root user (not recommended) it added group write permission to \
all folders up to the root of the filesystem.
If your log files are stored in the home directory, these permission changes might impact your \
ability to run SSH operations after your home directory becomes group-writeable.
This issue does not affect users who use or extend Airflow using Official Airflow Docker \
reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have \
group write permission set anyway.
You are affected only if you install Airflow using local installation / virtualenv or other \
Docker images, but the issue has no impact if docker containers are used as intended, i.e. \
where Airflow components do not share containers with other applications and users.
Also you should not be affected if your umask is 002 (group write enabled) - this is the \
default on many linux systems.
Recommendation for users using Airflow outside of the containers:
* if you are using root to run Airflow, change your Airflow user to use non-root
* upgrade Apache Airflow to 2.8.4 or above
* If you prefer not to upgrade, you can change the \
https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions \
to 0o755 (original value 0o775).
* if you already ran Airflow tasks before and your default umask is 022 (group write \
disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs in all \
your components and all parent directories of this directory and remove group write access for \
all the parent directories
Credit:
Matej Murin (finder)
References:
https://github.com/apache/airflow/pull/37310
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-29735
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic