Apache Flink 目录穿越漏洞分析报告 (CVE-2020-17519)<\/h1>

漏洞概述<\/h2>
漏洞名称<\/strong>: Apache Flink 目录穿越漏洞
CVE编号<\/strong>: CVE-2020-17519
影响版本<\/strong>: Apache Flink 1.11.0 - 1.11.2
漏洞类型<\/strong>: 任意文件读取
危害等级<\/strong>: 高危
漏洞描述<\/strong>: 该漏洞允许攻击者通过JobManager进程的REST接口读取本地文件系统上的任何文件，访问范围受限于JobManager进程本身的文件访问权限。<\/p>

漏洞复现<\/h2>
环境搭建<\/h3>

获取源码<\/strong>:<\/p>
git clone https:\/\/github.com\/apache\/flink.git <\/span><\/span><\/code><\/pre><\/li> 检出漏洞版本<\/strong>:<\/p> git checkout 7fed9f0243aaf80d0060f075b95ba46b3207c8a8 <\/span><\/span><\/code><\/pre><\/li> 编译项目<\/strong>:<\/p> mvn clean package -DskipTests <\/span><\/span><\/code><\/pre>编译时间约30分钟<\/em><\/p> <\/li> 配置调试环境<\/strong>: 修改配置文件 flink-debug-src\/build-target\/conf\/flink-conf.yaml<\/code>，添加:<\/p> env.java.opts<\/span>: -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5006<\/span> <\/span><\/span><\/code><\/pre><\/li> 启动服务<\/strong>:<\/p> flink-debug-src\/build-target\/bin\/start-cluster.sh <\/span><\/span><\/code><\/pre><\/li> <\/ol> POC验证<\/h3> 访问以下URL可读取系统文件:<\/p> http:\/\/localhost:8081\/jobmanager\/logs\/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd <\/code><\/pre> 注意<\/em>: 路径使用了双重URL编码(%252f<\/code>是\/<\/code>的双重编码)<\/p> 漏洞分析<\/h2> 攻击流程<\/h3> 攻击者构造包含目录穿越的URL请求<\/li> 服务器接收请求并进行第一次URL解码<\/li> 路由处理过程中进行第二次URL解码<\/li> 解码后的路径被用于文件读取操作<\/li> 服务器返回目标文件内容<\/li> <\/ol> 关键代码分析<\/h3> 路由处理入口<\/strong>:<\/p> org.<\/span>apache<\/span>.<\/span>flink<\/span>.<\/span>runtime<\/span>.<\/span>rest<\/span>.<\/span>handler<\/span>.<\/span>router<\/span>.<\/span>Router<\/span>#<\/span>route <\/span><\/span><\/code><\/pre><\/li> 路径解码<\/strong>:<\/p> org.<\/span>apache<\/span>.<\/span>flink<\/span>.<\/span>runtime<\/span>.<\/span>rest<\/span>.<\/span>handler<\/span>.<\/span>router<\/span>.<\/span>Router<\/span>#<\/span>decodePathTokens <\/span><\/span><\/code><\/pre> 使用\/<\/code>分割路径<\/li> 对每个部分使用QueryStringDecoder.decodeComponent<\/code>进行URL解码<\/li> <\/ul> <\/li> 路由匹配<\/strong>:<\/p> org.<\/span>apache<\/span>.<\/span>flink<\/span>.<\/span>runtime<\/span>.<\/span>rest<\/span>.<\/span>handler<\/span>.<\/span>router<\/span>.<\/span>PathPattern<\/span>#<\/span>match <\/span><\/span><\/code><\/pre> 遍历路径token<\/li> 将..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code>放入Map并返回true<\/li> <\/ul> <\/li> 请求处理<\/strong>:<\/p> org.<\/span>apache<\/span>.<\/span>flink<\/span>.<\/span>runtime<\/span>.<\/span>rest<\/span>.<\/span>handler<\/span>.<\/span>cluster<\/span>.<\/span>AbstractJobManagerFileHandler<\/span>#<\/span>respondToRequest <\/span><\/span><\/code><\/pre> 从请求中获取路径参数<\/li> 构造File对象<\/li> 通过HandlerUtils.transferFile<\/code>读取并返回文件内容<\/li> <\/ul> <\/li> <\/ol> 漏洞根源<\/h3> 漏洞产生于路径处理过程中的双重URL解码机制：<\/p> 服务器自动进行第一次URL解码<\/li> 应用代码显式进行第二次URL解码<\/li> 解码后的路径未进行充分的安全校验<\/li> <\/ol> 修复方案<\/h2> 官方修复commit: b561010b0ee741543c3953306037f00d7a9f0801<\/code><\/p> 主要修复措施：<\/p> 对路径参数进行严格校验<\/li> 防止目录穿越攻击<\/li> <\/ol> 防护建议<\/h2> 升级到Apache Flink 1.11.3或更高版本<\/li> 对JobManager的REST接口实施网络访问控制<\/li> 限制JobManager进程的文件系统访问权限<\/li> <\/ol> 参考链接<\/h2> Apache Flink官方公告<\/a><\/li> 漏洞分析文章<\/a><\/li> <\/ol> 附录<\/h2> 测试用例<\/h3> 官方修复commit中包含的测试用例可用于验证修复效果，建议参考： flink-runtime\/src\/test\/java\/org\/apache\/flink\/runtime\/rest\/handler\/cluster\/JobManagerCustomLogHandlerTest.java<\/code><\/p>