Snyk Community

loading...
Cover image for Updates on Apache Airflow Message Broker Vulnerabilities
Snyk

Updates on Apache Airflow Message Broker Vulnerabilities

adamgold profile image Adam ・1 min read

In August I updated about two Apache Airflow vulnerabilities, an open-source library that allows developers to programmatically author, schedule, and monitor workflows.

Both of the vulnerabilities allow the attacker to change scope and gain privileges to a different machine, and they both rely on the attacker gaining access to the message broker before performing the attack. Our team found a few examples of unsafe usage of message brokers in the open source community, and we thought it was important to raise awareness to the issue amongst developers. While message brokers are a great tool and they can be used in many ways, it's important to implement sufficient security measures to keep your systems safe.

Version 1.10.11 that was released July 10th, fixed these issues:

The Command Injection vulnerability was fixed by validating that the commands start with airflow tasks run:

Validate only task commands are run by executors #9178

ashb avatar
ashb posted on

Make sure to mark the boxes below before creating PR: [x]

  • [x] Description above provides context of the change
  • [x] Unit tests coverage for changes (not needed for documentation changes)
  • [x] Target Github ISSUE in description if exists
  • [x] Commits follow "How to write a good git commit message"
  • [x] Relevant documentation is updated including usage instructions.
  • [x] I will engage committers as explained in Contribution Workflow Example.

In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed. In case of a new dependency, check compliance with the ASF 3rd Party License Policy. In case of backwards incompatible changes please leave a note in UPDATING.md. Read the Pull Request Guidelines for more information.

The Deserialization vulnerability was fixed by removing the pickle option from the default configuration:

[AIRFLOW-XXXX] Adjust celery defaults to work with breeze #7205

This PR changes default Celery configs values to ease working with CeleryExecutor in Breeze.


Issue link: Document only change, no JIRA issue

Make sure to mark the boxes below before creating PR: [x]

  • [x] Description above provides context of the change
  • [x] Commit message/PR title starts with [AIRFLOW-NNNN]. AIRFLOW-NNNN = JIRA ID*
  • [x] Unit tests coverage for changes (not needed for documentation changes)
  • [x] Commits follow "How to write a good git commit message"
  • [x] Relevant documentation is updated including usage instructions.
  • [x] I will engage committers as explained in Contribution Workflow Example.

* For document-only changes commit message can start with [AIRFLOW-XXXX].


In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed. In case of a new dependency, check compliance with the ASF 3rd Party License Policy. In case of backwards incompatible changes please leave a note in UPDATING.md. Read the Pull Request Guidelines for more information.

If you haven't yet upgraded to the latest Apache Airflow version, it is recommended to do so.

Feel free to ask any questions about these vulnerabilities below, and we'll be happy to help.

Discussion

pic
Editor guide