A dangerous Apache Flink flaw has resurfaced, and is being actively exploited

Three-year-old vulnerability is resurfacing, causing CISA to sound the alarm

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, thus warning federal agencies that hackers are actively exploiting it to compromise devices withoutendpoint protection.

The vulnerability in question is an improper access control flaw first found in Apache Flink back in January 2021.

Apache Flink is an open source stream-processing framework developed and maintained by the Apache Software Foundation. It is designed to process large volumes of data in real time with low latency and high throughput.

A deadline for patching

The flaw is tracked as CVE-2020-17519. It was discovered in early January 2021, and was never given a specific severity score.

Still, the Apache Software Foundation fixed it in a timely manner, by applying a fix. Vulnerable versions include Flink 1.11.0, 1.11.1, and 1.11.2. Fixed versions are 1.11.3, and 1.12.0.

“A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process,” the Apache Software Foundation explained at the time. “Access is restricted to files accessible by the JobManager process.”

Adding the bug to the KEV, CISA also gave federal agencies a deadline by which they should either apply the patch, or stop using the vulnerable software altogether - June 13. Obviously, firms in the private sector should do the same, as hackers rarely skip a potential target, regardless of the industry it is in.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Unfortunately, CISA did not share additional details about the vulnerability or its exploiters, so we don’t know who the threat actors are, or who the victims might be. We also don’t know how many firms may have been compromised this way already, or what the attackers are using it for.

ViaThe Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind