Recent Discovery of Critical Apache Flink Vulnerability and Active Exploitation by Cyber Actors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised alarms over a four-year-old security flaw in Apache Flink, a popular open-source framework for stream-processing and batch-processing. The flaw, identified as CVE-2020-17519, allows unauthorized access to sensitive information due to improper access control.

CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog after evidence of active exploitation was observed. The agency warns that vulnerabilities like the one in Apache Flink are frequently targeted by malicious cyber actors and pose significant risks to federal enterprises.

The flaw, present in versions 1.11.0, 1.11.1, and 1.11.2 of Apache Flink, enables remote attackers to access files on the local JobManager filesystem through specially crafted directory traversal requests. While specific details of ongoing exploitation campaigns remain unclear, the bug has been acknowledged by project maintainers and has been exploited for at least four years.

Mitigation measures have been put in place, with the Apache Software Foundation releasing patches in January 2021. CISA has mandated federal agencies to apply these patches by June 13, 2024, under the Binding Operational Directive to protect agency networks from active threats.

The discovery of this vulnerability underscores the importance of timely updates and patches for widely deployed open-source projects. Organizations are urged to follow vendor instructions for mitigations or discontinue the use of affected products if fixes are not available. This incident serves as a reminder of the constant vigilance required to safeguard against cyber threats in today’s digital landscape.