Google Cloud Data Fusion Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Google Cloud Data Fusion. This issue allows users with permission to upload artifacts to a Data Fusion instance to execute arbitrary code within the core AppFabric component. Exploitation of this vulnerability could enable an attacker to gain control over the Data Fusion instance, leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure.

Impact

Exploitation of this vulnerability could result in remote code execution on the affected Data Fusion instance, allowing an attacker to execute arbitrary code with potentially severe consequences, including unauthorized access to sensitive data, manipulation of data pipelines, and exploration of the underlying infrastructure.

Remediation

Users are advised to upgrade to Google Cloud Data Fusion versions 6.10.6 or 6.11.1 or later. The updated versions are available on the CDAP GitHub releases page.