low

Dataflow RCE via unauthenticated JMX service

Published Tue, Dec 28th, 2021

Platforms

Summary

Dataflow worker nodes ran an unauthenticated Java Management Extensions (JMX) service that under certain circumstances would be exposed to the Internet, thus allowing unauthenticated remote code execution (RCE) as root in an unprivileged container. The impact of the vulnerability depended on which service account qA assigned to Dataflow worker nodes (by default, that would be the Google Compute Engine default service account, which has the project-wide Editor role assigned).

Affected Services

Dataflow

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://mbrancato.github.io/2021/12/28/rce-dataflow.html https://portswigger.net/daily-swig/google-showers-top-cloud-security-researchers-with-kudos-and-cash

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

Fri, Mar 5th, 2021

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Mike Brancato

More vulnerabilities...

medium

Overprivileged AWS support IAM role policy

AWS added an excessive s3:getObject permission to AWSSupportServiceRolePolicy IAM policy used by AWS Support teams, and removed it a day later.

Scott Piper, Summit Route

Wed, Dec 22nd, 2021

high

LPE vulnerability in Eltima (3rd-party cloud desktop driver)

Several cloud desktop solutions rely on a 3rd-party library called Eltima SDK to provide USB over Ethernet capabilities, to allow users to connect and share local devices such as webcams. SentinelL...

Kasif Dekel, SentinelOne

Tue, Dec 7th, 2021

medium

AWS SageMaker Jupyter Notebook instance CSRF

AWS SageMaker Notebook server lacked a check of the Origin header that led to a CSRF vulnerability. An attacker could have read sensitive data and execute arbitrary actions in customer environments...

Gafnit Amiga, Lightspin

Thu, Dec 2nd, 2021

View all