Impacted versions:
- Confluent Platform Flink < 1.18.1-cp7, 1.19.3-cp4, 1.19-cp8, 1.20.4-cp1, 2.0.2-cp1, 2.1.2-cp1
- Confluent Cloud Flink managed clusters
Recommended action:
- Confluent Cloud customers do not need to take any action. All managed Flink clusters have already been patched.
- Confluent Platform customers should upgrade to the latest patched release versions.
Issue:
Multiple remote code execution (RCE) vulnerabilities have been identified in Flink's SQL query processing layer.
Flink's SQL planner dynamically generates Java source code from SQL expressions, which is then compiled by an embedded Java compiler and executed at runtime. Due to insufficient sanitization of user-supplied values during code generation, authenticated users can craft SQL queries that cause arbitrary Java code to be injected into the generated source and executed during query evaluation.
Authenticated users with privileges to execute Flink queries can inject arbitrary code through several SQL constructs, including native JSON functions and LIKE expressions. Successful exploitation can result in arbitrary code execution within the Flink runtime environment.
Remediation:
-
Confluent Platform:
- This issue is resolved in the following versions of Confluent Platform Flink: 1.18.1-cp7, 1.19.3-cp4 ,1.19-cp8, 1.20.4-cp1, 2.0.2-cp1, 2.1.2-cp1
-
Confluent Cloud:
- Confluent Cloud managed Flink clusters have already been patched and no further action is necessary.
CVSS Scores:
-
Confluent Cloud:
- CVSS: 9.9 (CVSS v3.1 Calculator)
-
Confluent Platform:
- CVSS: 9.0 (CVSS v3.1 Calculator)