Apache Flink jobmanager/logs Path Traversal
Description
Apache Flink is an open-source framework for distributed stream and batch data processing. A path traversal vulnerability exists in Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 that allows unauthenticated remote attackers to read arbitrary files from the JobManager's local filesystem through the REST API endpoint. The vulnerability specifically affects the jobmanager/logs interface, which fails to properly validate file path parameters, enabling directory traversal attacks using sequences like '../' to access files outside the intended directory.
Remediation
Immediately upgrade Apache Flink to version 1.11.3 or 1.12.0 or later, which contain fixes for this path traversal vulnerability. Follow these steps:
1. Identify all Apache Flink deployments running versions 1.11.0, 1.11.1, or 1.11.2
2. Schedule maintenance windows to upgrade affected instances to version 1.11.3, 1.12.0, or newer
3. If immediate patching is not possible, implement network-level access controls to restrict JobManager REST API access to trusted IP addresses only
4. Review JobManager access logs for suspicious file access patterns or directory traversal attempts (look for '../' sequences in request parameters)
5. After upgrading, verify the fix by testing that path traversal attempts are properly blocked
As a temporary mitigation, configure firewall rules or use a reverse proxy to limit access to the JobManager REST interface to authorized users and networks only.