Apache Flink Code Injection Vulnerability Leading to Remote Code Execution

A code injection vulnerability has been identified in the SQL code generation process of Apache Flink. This issue is present in versions 1.15.0 prior to 1.20.4, as well as in the 2.0.0 through 2.x range. The vulnerability allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers by crafting malicious SQL queries. It specifically affects JSON functions in Flink versions 1.15.0 and above, and LIKE expressions with ESCAPE clauses in versions 1.17.0 and above. The root cause lies in user-controlled strings being improperly escaped before being interpolated into generated Java code, enabling attackers to break out of string literals and inject arbitrary expressions.

Impact

Exploitation of this vulnerability allows for remote code execution on the TaskManagers.

Remediation

Users are advised to upgrade to Apache Flink versions 1.20.4, 2.0.2, 2.1.2, or 2.2.1, all of which address this vulnerability.