Update from October 6, 2021 – Apache released an update which fixes a critical rated Directory traversal and RCE exploit found in Apache Airflow Server version 2.4.49 (CVE-2021-41773), as well as version 2.4.50 (CVE-2021-42013). The latest version, 2.4.51 (CVE-2021-40438) fixes these vulnerabilities. Apache recommends upgrading your server to the latest version immediately. Click on this link for further details.
If you can’t update your server immediately, Avertium recommends creating a temporary firewall rule that prevents requests which include a=proxy:unix.
On October 4, 2021, researchers from Intezer published details about two Apache Airflow Server vulnerabilities – a path traversal and file disclosure flaw in its HTTP server. The zero-day vulnerabilities are being tracked as CVE-2021-41773 and allow attackers to map URLs to files outside the expected document root by launching a path traversal attack.
A path traversal attack means threat actors gain access to the backend or sensitive server directories by sending unauthorized requests that should be inaccessible. Typically, the requests are blocked, but not when the filters are bypassed by using encoded characters (ASCII) for the URLs. Additionally, the path traversal flaw allows the source of interpreted files to be leaked. Companies like Slack, PayPal, and Klarna have already had sensitive information and credentials leaked due to this misconfiguration flaw.
According to Intezer, insecure coding practices are responsible for the data and credential leaks. For example, Intezer found hardcoded passwords inside Python DAG (Directed Acyclic Graph) code. Intezer’s researchers made it clear that passwords should not be hardcoded, and protection is not guaranteed - even if you believe the application is firewalled off to the internet.
So far, there are over a hundred thousand Apache Airflow servers online that are susceptible to this attack. The Apache Software Foundation released the patched version (2.4.50) on October 4, 2021. If you have Apache Airflow and have not patched, please patch your server now. Not doing so could result in your organization accidentally leaking sensitive information (credentials, sensitive data, etc.).