Bug 1913312 (CVE-2020-17518)

Summary: CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bibryam, chazlett, drieden, ganandan, ggaughan, gmalinko, hbraun, janstey, jnethert, jochrist, jwon, pantinor
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: flink-1.11.3, flink-1.12.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-11 19:28:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1913313    

Description Guilherme de Almeida Suckevicz 2021-01-06 13:48:20 UTC 
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

References:
https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cannounce.apache.org%3E
https://www.openwall.com/lists/oss-security/2021/01/05/1
Comment 4 errata-xmlrpc 2021-08-11 18:23:44 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
Comment 5 Product Security DevOps Team 2021-08-11 19:28:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17518
Comment 6 errata-xmlrpc 2021-08-18 09:13:34 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205
Comment 7 errata-xmlrpc 2021-08-18 09:55:00 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207