CVE-2024-27894
Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.
This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
Pulsar Functions Worker incluye una capacidad que permite a los usuarios autenticados crear funciones donde se hace referencia a la implementación de la función mediante una URL. Los esquemas de URL admitidos incluyen "archivo", "http" y "https". Cuando se crea una función utilizando este método, Functions Worker recuperará la implementación de la URL proporcionada por el usuario. Sin embargo, esta característica introduce una vulnerabilidad que puede ser aprovechada por un atacante para obtener acceso no autorizado a cualquier archivo para el que el proceso Pulsar Functions Worker tenga permisos de lectura. Esto incluye la lectura del entorno del proceso, que potencialmente incluye información confidencial, como secretos. Además, un atacante podría aprovechar esta vulnerabilidad para utilizar Pulsar Functions Worker como proxy para acceder al contenido de las URL de endpoints HTTP y HTTPS remotos. Esto también podría usarse para llevar a cabo ataques de denegación de servicio. Esta vulnerabilidad también se aplica al Pulsar Broker cuando está configurado con "functionsWorkerEnabled=true". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas. Las versiones actualizadas de Pulsar Functions Worker impondrán, de forma predeterminada, restricciones a la creación de funciones mediante URL. Para los usuarios que dependen de esta funcionalidad, la configuración de Function Worker proporciona dos claves de configuración: "additionalEnabledConnectorUrlPatterns" y "additionalEnabledFunctionsUrlPatterns". Estas claves permiten a los usuarios especificar un conjunto de patrones de URL permitidos, lo que permite la creación de funciones utilizando URL que coinciden con los patrones definidos. Este enfoque garantiza que la función permanezca disponible para quienes la requieren, al tiempo que limita el potencial de acceso y explotación no autorizados.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-26 CVE Reserved
- 2024-03-12 CVE Published
- 2024-05-02 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-552: Files or Directories Accessible to External Parties
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2024/03/12/11 | ||
https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://pulsar.apache.org/security/CVE-2024-27894 | 2024-05-01 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Pulsar Search vendor "Apache Software Foundation" for product "Apache Pulsar" | >= 2.4.0 < 2.10.6 Search vendor "Apache Software Foundation" for product "Apache Pulsar" and version " >= 2.4.0 < 2.10.6" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Pulsar Search vendor "Apache Software Foundation" for product "Apache Pulsar" | >= 2.11.0 < 2.11.4 Search vendor "Apache Software Foundation" for product "Apache Pulsar" and version " >= 2.11.0 < 2.11.4" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Pulsar Search vendor "Apache Software Foundation" for product "Apache Pulsar" | >= 3.0.0 < 3.0.3 Search vendor "Apache Software Foundation" for product "Apache Pulsar" and version " >= 3.0.0 < 3.0.3" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Pulsar Search vendor "Apache Software Foundation" for product "Apache Pulsar" | >= 3.1.0 < 3.1.3 Search vendor "Apache Software Foundation" for product "Apache Pulsar" and version " >= 3.1.0 < 3.1.3" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Pulsar Search vendor "Apache Software Foundation" for product "Apache Pulsar" | >= 3.2.0 < 3.2.1 Search vendor "Apache Software Foundation" for product "Apache Pulsar" and version " >= 3.2.0 < 3.2.1" | en |
Affected
|