=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN393
_____________________________________________________________________

DATE                : 18/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to
                                           2.1.2.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202108.mbox/%3cd998842d-fdb2-8f73-ca56-aaa43d55d057@apache.org%3e
_____________________________________________________________________

Description:

If remote logging is not used, the worker (in the case of
CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs
a Flask logging server and is listening on a specific port and also
binds on 0.0.0.0 by default.
This logging server had no authentication and allows reading log files
of DAG jobs.

This issue affects Apache Airflow < 2.1.2.

Mitigation:

Use remote logging with GCS, S3, Elasticsearch etc. This is recommended
for production environments.

And do not publicly expose any other ports apart from Webserver port,
Flower port etc.

Credit:

Apache Airflow would like to thank Dolev Farhi for reporting this issue.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================