¡¾Îó²îͨ¸æ¡¿Apache Airlfow Pig ProviderÏÂÁî×¢ÈëÎó²î£¨CVE-2022-40189£©

Ðû²¼Ê±¼ä 2022-11-22

0x00 Îó²î¸ÅÊö

CVE   ID

CVE-2022-40189

·¢Ã÷ʱ¼ä

2022-11-22

Àà    ÐÍ

ÏÂÁî×¢Èë

µÈ    ¼¶

ÖÐΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


¹¥»÷ÖØÆ¯ºó


Óû§½»»¥


PoC/EXP


ÔÚҰʹÓÃ


 

0x01 Îó²îÏêÇé

Apache Airflow ÊÇÒ»¸öÄܹ»¿ª·¢¡¢µ÷ÀíºÍ¼à¿ØÊÂÇéÁ÷µÄ±àÅÅÆ½Ì¨¡£¡£

11ÔÂ21ÈÕ£¬£¬ApacheÐû²¼Ç徲ͨ¸æ£¬£¬ÐÞ¸´ÁËApache Airflow Pig ProviderÖеÄÒ»¸öÏÂÁî×¢ÈëÎó²î£¨CVE-2022-40189£©¡£¡£

Apache Airflow Pig ProviderÖб£´æOSÏÂÁî×¢ÈëÎó²î£¬£¬¿ÉÔÚÎÞÐè¶ÔDAGÎļþ¾ÙÐÐд»á¼ûµÄÇéÐÎϵ¼ÖÂÔ¶³ÌÏÂÁîÖ´ÐС£¡£

 

Ó°Ïì¹æÄ£

Ó°Ïì²úÆ·/×é¼þ

Pig Provider °æ±¾

Apache Airflow°æ±¾£¨×°ÖÃÁËPig Provider£©

±¸×¢

Ó°Ïì¹æÄ£

Pig Provide < 4.0.0

Apache Airflow < 2.3.0

Pig Provider 4.0.0Ö»ÄÜ×°ÖÃÔÚAirflow >= 2.3.0°æ±¾

 

0x02 Çå¾²½¨Òé

ÏÖÔÚ¸ÃÎó²îÒѾ­ÐÞ¸´£¬£¬ÊÜÓ°ÏìµÄApache Airflow 2.3.0¼°ÒÔÉϰ汾µÄÓû§¿É×°ÖÃPig Provider 4.0.0ÒÔÐÞ¸´´ËÎó²î¡£¡£

ÏÂÔØÁ´½Ó£º

https://airflow.apache.org/docs/apache-airflow-providers-apache-pig/4.0.0/index.html

 

0x03 ²Î¿¼Á´½Ó

https://www.mail-archive.com/announce@apache.org/msg07751.html

https://github.com/apache/airflow/pull/27644

 

0x04 °æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2022-11-22

Ê×´ÎÐû²¼

  

0x05 ¸½Â¼

ÈËÉú¾ÍÊDz©¼ò½é

ÈËÉú¾ÍÊDz©½¨ÉèÓÚ1996Ä꣬£¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ½¨ÉèµÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Çå¾²¸ß¿Æ¼¼ÆóÒµ¡£¡£ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·¡¢Ç徲ЧÀͽâ¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°ÈËÉú¾ÍÊDz©´óÏ㬣¬¹«Ë¾Ô±¹¤6000ÓàÈË£¬£¬Ñз¢ÍŶÓ1200ÓàÈË, ÊÖÒÕЧÀÍÍŶÓ1300ÓàÈË¡£¡£ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬£¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ¡£¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС£¡££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´£¬£¬ÈËÉú¾ÍÊDz©ÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·ÅÆ¶ø²»Ð¸Æð¾¢¡£¡£

 

¹ØÓÚÈËÉú¾ÍÊDz©

ÈËÉú¾ÍÊDz©Çå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÖ÷ÒªÕë¶ÔÖ÷ÒªÇå¾²Îó²îµÄÔ¤¾¯¡¢¸ú×ٺͷÖÏíÈ«Çò×îеÄÍþвÇ鱨ºÍÇå¾²±¨¸æ¡£¡£

¹Ø×¢ÒÔϹ«Öںţ¬£¬»ñȡȫÇò×îÐÂÇå¾²×ÊѶ£º

image.png