[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] CVE-2021-35936: Apache Airflow: No Authentication on Logging Server


If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on by default.
This logging server had no authentication and allows reading log files of DAG jobs.

This issue affects Apache Airflow < 2.1.2.


Use remote logging with GCS, S3, Elasticsearch etc. This is recommended for production environments.

And do not publicly expose any other ports apart from Webserver port, Flower port etc.


Apache Airflow would like to thank Dolev Farhi for reporting this issue.