'[oss-security] CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task h'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task h
From:       Jarek Potiuk <potiuk () apache ! org>
Date:       2024-03-26 14:33:16
Message-ID: 5935a3d4-2b6c-b71d-c934-a43da9297880 () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache Airflow 2.8.2 through 2.8.3

Description:

Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache \
Airflow from 2.8.2 through 2.8.3.

Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders \
of log folder, in default configuration adding write access to Unix group  of the folders. In \
the case Airflow is run with the root user (not recommended) it added group write permission to \
all folders up to the root of the filesystem.

If your log files are stored in the home directory, these permission changes might impact your \
ability to run SSH operations after your home directory becomes group-writeable.

This issue does not affect users who use or extend Airflow using Official Airflow Docker \
reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have \
group write permission set anyway.

You are affected only if you install Airflow using local installation / virtualenv or other \
Docker images, but the issue has no impact if docker containers are used as intended, i.e. \
where Airflow components do not share containers with other applications and users.

Also you should not be affected if your umask is 002 (group write enabled) - this is the \
default on many linux systems.

Recommendation for users using Airflow outside of the containers:

  *  if you are using root to run Airflow, change your Airflow user to use non-root
  *  upgrade Apache Airflow to 2.8.4 or above
  *  If you prefer not to upgrade, you can change the  \
https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions \
                to 0o755 (original value 0o775).
  *  if you already ran Airflow tasks before and your default umask is 022 (group write \
disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs  in all \
your components and all parent directories of this directory and remove group write access for \
all the parent directories

Credit:

Matej Murin (finder)

References:

https://github.com/apache/airflow/pull/37310
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-29735


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic