mbalassi commented on code in PR #854: URL: https://github.com/apache/flink-web/pull/854#discussion_r3348989170
########## docs/content/what-is-flink/security.md: ########## @@ -27,93 +27,73 @@ under the License. # Security -## Security Updates - -This section lists fixed vulnerabilities in Flink. - -<table class="table"> - <thead> - <tr> - <th style="width: 20%">CVE ID</th> - <th style="width: 30%">Affected Flink versions</th> - <th style="width: 50%">Notes</th> - </tr> - </thead> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a> - </td> - <td> - 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0 - </td> - <td> - Users are advised to upgrade to Flink 1.9.3 or 1.10.1 or later versions or remove the port parameter from the reporter configuration (see advisory for details). - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a> - </td> - <td> - 1.5.1 to 1.11.2 - </td> - <td> - <a href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br> - Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a> - </td> - <td> - 1.11.0, 1.11.1, 1.11.2 - </td> - <td> - <a href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br> - Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834";>CVE-2023-41834</a> - </td> - <td> - Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0 - </td> - <td> - <a href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be";>Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br> - Users are advised to upgrade to Flink Stateful Functions 3.3.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://www.cve.org/CVERecord?id=CVE-2026-35194";>CVE-2026-35194</a> - </td> - <td> - 1.15.0 through 1.20.x and 2.0.0 through 2.x - </td> - <td> - <a href="https://github.com/apache/flink/commit/64007b131d689158af90ca1c1b71b018129a85c5";>Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a>, <a href="https://github.com/apache/flink/commit/e7c0d17074dc0dc9e102a072f11bf0de09ba01a5";>e7c0d17074dc0dc9e102a072f11bf0de09ba01a5</a> and <a href="https://github.com/apache/flink/commit/9b2a11268dc8b4e6ea5a604dca0ea27f0fee3ed8";>9b2a11268dc8b4e6ea5a604dca0ea27f0fee3ed8</a> <br> - Users are advised to upgrade to Flink 1.20.4, 2.0.2, 2.1.2 or 2.2.1. - </td> - </tr> -</table> - - -## Frequently Asked Questions - -### During a security analysis of Flink, I noticed that Flink allows for remote code execution, is this an issue? - -Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible. - -Historically, we've received numerous remote code execution vulnerability reports, which we had to reject, as this is by design. - -**We strongly discourage users to expose Flink processes to the public internet**. Within company networks or "cloud" accounts, we recommend restricting access to a Flink cluster via appropriate means. - - -### I found a vulnerability in Flink, how do I report it? - -Thanks a lot for looking into the security of Apache Flink! We appreciate reports improving the security of Flink. We accept vulnerability reports through the [Apache Security Team](https://www.apache.org/security/), via their private email address [[email protected]](mailto:[email protected]). - -If you want to discuss a potential security issue privately with the Flink PMC, you can reach us also via [[email protected]](mailto:[email protected]). +## Apache Flink + +Apache Flink is a distributed stream and batch processing framework that executes user-supplied code across a cluster of machines. + +### Trust Boundary + +Flink's security model is built around one explicit trust boundary: **the cluster operator is trusted; the cluster network interfaces are not public**. + +**Authenticated users who submit jobs are fully trusted.** Flink executes submitted code unconditionally. A job can spawn processes, open network connections, read and write local files, and perform any operation the operating system permits. This is intentional -- restricting what user code can do would prevent legitimate use cases. Flink is not a sandbox. + +**Unauthenticated access to cluster interfaces is the threat Flink protects against.** The REST API, SQL Gateway, and BLOB server are the surfaces that must be secured from external attackers. + +### Security Boundary Reference + +The table below is intended for security researchers and enterprise security teams evaluating Flink: + +| Scenario | Security boundary | Notes | +|---|---|---| +| Unauthenticated access to the REST API | **In scope** | Vulnerability -- report it | +| Path traversal or unauthorized file access via REST API | **In scope** | Vulnerability -- report it | +| SQL injection or auth bypass via SQL Gateway | **In scope** | Vulnerability -- report it | +| Credential or secret exposure in cluster interfaces | **In scope** | Vulnerability -- report it | +| RCE via an authenticated, submitted user job | **Out of scope** | By design -- authenticated users run arbitrary code | Review Comment: might makes sense to disambiguate acronym and state `Remote Code Execution` instead of RCE. ########## docs/content/what-is-flink/security.md: ########## @@ -27,93 +27,73 @@ under the License. # Security -## Security Updates - -This section lists fixed vulnerabilities in Flink. - -<table class="table"> - <thead> - <tr> - <th style="width: 20%">CVE ID</th> - <th style="width: 30%">Affected Flink versions</th> - <th style="width: 50%">Notes</th> - </tr> - </thead> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a> - </td> - <td> - 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0 - </td> - <td> - Users are advised to upgrade to Flink 1.9.3 or 1.10.1 or later versions or remove the port parameter from the reporter configuration (see advisory for details). - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a> - </td> - <td> - 1.5.1 to 1.11.2 - </td> - <td> - <a href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br> - Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a> - </td> - <td> - 1.11.0, 1.11.1, 1.11.2 - </td> - <td> - <a href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br> - Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834";>CVE-2023-41834</a> - </td> - <td> - Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0 - </td> - <td> - <a href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be";>Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br> - Users are advised to upgrade to Flink Stateful Functions 3.3.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://www.cve.org/CVERecord?id=CVE-2026-35194";>CVE-2026-35194</a> - </td> - <td> - 1.15.0 through 1.20.x and 2.0.0 through 2.x - </td> - <td> - <a href="https://github.com/apache/flink/commit/64007b131d689158af90ca1c1b71b018129a85c5";>Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a>, <a href="https://github.com/apache/flink/commit/e7c0d17074dc0dc9e102a072f11bf0de09ba01a5";>e7c0d17074dc0dc9e102a072f11bf0de09ba01a5</a> and <a href="https://github.com/apache/flink/commit/9b2a11268dc8b4e6ea5a604dca0ea27f0fee3ed8";>9b2a11268dc8b4e6ea5a604dca0ea27f0fee3ed8</a> <br> - Users are advised to upgrade to Flink 1.20.4, 2.0.2, 2.1.2 or 2.2.1. - </td> - </tr> -</table> - - -## Frequently Asked Questions - -### During a security analysis of Flink, I noticed that Flink allows for remote code execution, is this an issue? - -Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible. - -Historically, we've received numerous remote code execution vulnerability reports, which we had to reject, as this is by design. - -**We strongly discourage users to expose Flink processes to the public internet**. Within company networks or "cloud" accounts, we recommend restricting access to a Flink cluster via appropriate means. - - -### I found a vulnerability in Flink, how do I report it? - -Thanks a lot for looking into the security of Apache Flink! We appreciate reports improving the security of Flink. We accept vulnerability reports through the [Apache Security Team](https://www.apache.org/security/), via their private email address [[email protected]](mailto:[email protected]). - -If you want to discuss a potential security issue privately with the Flink PMC, you can reach us also via [[email protected]](mailto:[email protected]). +## Apache Flink + +Apache Flink is a distributed stream and batch processing framework that executes user-supplied code across a cluster of machines. + +### Trust Boundary + +Flink's security model is built around one explicit trust boundary: **the cluster operator is trusted; the cluster network interfaces are not public**. + +**Authenticated users who submit jobs are fully trusted.** Flink executes submitted code unconditionally. A job can spawn processes, open network connections, read and write local files, and perform any operation the operating system permits. This is intentional -- restricting what user code can do would prevent legitimate use cases. Flink is not a sandbox. + +**Unauthenticated access to cluster interfaces is the threat Flink protects against.** The REST API, SQL Gateway, and BLOB server are the surfaces that must be secured from external attackers. + +### Security Boundary Reference + +The table below is intended for security researchers and enterprise security teams evaluating Flink: + +| Scenario | Security boundary | Notes | +|---|---|---| +| Unauthenticated access to the REST API | **In scope** | Vulnerability -- report it | +| Path traversal or unauthorized file access via REST API | **In scope** | Vulnerability -- report it | +| SQL injection or auth bypass via SQL Gateway | **In scope** | Vulnerability -- report it | +| Credential or secret exposure in cluster interfaces | **In scope** | Vulnerability -- report it | +| RCE via an authenticated, submitted user job | **Out of scope** | By design -- authenticated users run arbitrary code | +| Spawning processes or opening connections from within a running job | **Out of scope** | By design | +| Reading or writing files from within a running job | **Out of scope** | By design | + +### Deployment Requirements + +Flink clusters must not be exposed to the public internet. Access to all Flink network interfaces must be restricted to trusted principals via network-level controls (firewalls, security groups, VPN). + +SSL/TLS, REST API authentication, and SQL Gateway authentication are all **disabled by default**. A default Flink deployment is unauthenticated and unencrypted on its network interfaces. These must be explicitly configured before any production or shared deployment. Review Comment: These must be explicitly configured before any production or shared deployment. -> These need to be explicitly enabled for production or shared deployments. ########## docs/content/what-is-flink/security.md: ########## @@ -27,93 +27,73 @@ under the License. # Security -## Security Updates - -This section lists fixed vulnerabilities in Flink. - -<table class="table"> - <thead> - <tr> - <th style="width: 20%">CVE ID</th> - <th style="width: 30%">Affected Flink versions</th> - <th style="width: 50%">Notes</th> - </tr> - </thead> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a> - </td> - <td> - 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0 - </td> - <td> - Users are advised to upgrade to Flink 1.9.3 or 1.10.1 or later versions or remove the port parameter from the reporter configuration (see advisory for details). - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a> - </td> - <td> - 1.5.1 to 1.11.2 - </td> - <td> - <a href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br> - Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a> - </td> - <td> - 1.11.0, 1.11.1, 1.11.2 - </td> - <td> - <a href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br> - Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834";>CVE-2023-41834</a> - </td> - <td> - Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0 - </td> - <td> - <a href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be";>Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br> - Users are advised to upgrade to Flink Stateful Functions 3.3.0 or later versions. - </td> - </tr> - <tr> - <td> - <a href="https://www.cve.org/CVERecord?id=CVE-2026-35194";>CVE-2026-35194</a> - </td> - <td> - 1.15.0 through 1.20.x and 2.0.0 through 2.x - </td> - <td> - <a href="https://github.com/apache/flink/commit/64007b131d689158af90ca1c1b71b018129a85c5";>Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a>, <a href="https://github.com/apache/flink/commit/e7c0d17074dc0dc9e102a072f11bf0de09ba01a5";>e7c0d17074dc0dc9e102a072f11bf0de09ba01a5</a> and <a href="https://github.com/apache/flink/commit/9b2a11268dc8b4e6ea5a604dca0ea27f0fee3ed8";>9b2a11268dc8b4e6ea5a604dca0ea27f0fee3ed8</a> <br> - Users are advised to upgrade to Flink 1.20.4, 2.0.2, 2.1.2 or 2.2.1. - </td> - </tr> -</table> - - -## Frequently Asked Questions - -### During a security analysis of Flink, I noticed that Flink allows for remote code execution, is this an issue? - -Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible. - -Historically, we've received numerous remote code execution vulnerability reports, which we had to reject, as this is by design. - -**We strongly discourage users to expose Flink processes to the public internet**. Within company networks or "cloud" accounts, we recommend restricting access to a Flink cluster via appropriate means. - - -### I found a vulnerability in Flink, how do I report it? - -Thanks a lot for looking into the security of Apache Flink! We appreciate reports improving the security of Flink. We accept vulnerability reports through the [Apache Security Team](https://www.apache.org/security/), via their private email address [[email protected]](mailto:[email protected]). - -If you want to discuss a potential security issue privately with the Flink PMC, you can reach us also via [[email protected]](mailto:[email protected]). +## Apache Flink + +Apache Flink is a distributed stream and batch processing framework that executes user-supplied code across a cluster of machines. + +### Trust Boundary + +Flink's security model is built around one explicit trust boundary: **the cluster operator is trusted; the cluster network interfaces are not public**. + +**Authenticated users who submit jobs are fully trusted.** Flink executes submitted code unconditionally. A job can spawn processes, open network connections, read and write local files, and perform any operation the operating system permits. This is intentional -- restricting what user code can do would prevent legitimate use cases. Flink is not a sandbox. + +**Unauthenticated access to cluster interfaces is the threat Flink protects against.** The REST API, SQL Gateway, and BLOB server are the surfaces that must be secured from external attackers. + +### Security Boundary Reference + +The table below is intended for security researchers and enterprise security teams evaluating Flink: + +| Scenario | Security boundary | Notes | +|---|---|---| +| Unauthenticated access to the REST API | **In scope** | Vulnerability -- report it | +| Path traversal or unauthorized file access via REST API | **In scope** | Vulnerability -- report it | +| SQL injection or auth bypass via SQL Gateway | **In scope** | Vulnerability -- report it | +| Credential or secret exposure in cluster interfaces | **In scope** | Vulnerability -- report it | +| RCE via an authenticated, submitted user job | **Out of scope** | By design -- authenticated users run arbitrary code | +| Spawning processes or opening connections from within a running job | **Out of scope** | By design | +| Reading or writing files from within a running job | **Out of scope** | By design | + +### Deployment Requirements + +Flink clusters must not be exposed to the public internet. Access to all Flink network interfaces must be restricted to trusted principals via network-level controls (firewalls, security groups, VPN). + +SSL/TLS, REST API authentication, and SQL Gateway authentication are all **disabled by default**. A default Flink deployment is unauthenticated and unencrypted on its network interfaces. These must be explicitly configured before any production or shared deployment. + +Flink does not manage the security of external systems it connects to, nor the lifecycle of credentials used to connect to them -- those are operator responsibilities. Review Comment: nit: it can manage the lifecycle of tokens (not creds) - I believe the current wording is acceptable, just wanted to make sure it is not misleading. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
