search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
36.37k stars 14.11k forks source link

Upgrade Werkzeug >=3.0.3 to address CVE-2024-34069 #39952

Closed adithyaonline closed 3 months ago

adithyaonline commented 3 months ago

Apache Airflow version

2.9.1

If "Other Airflow 2 version" selected, which one?

No response

What happened?

Werkzeug 2.2.8 has a vulnerability with CVSS score of 7.5

What you think should happen instead?

we need to ugprade Werkzeug to 3.0.3

How to reproduce

Scan latest airflow with any source code analysis tool

Operating System

debian

Versions of Apache Airflow Providers

No response

Deployment

Other Docker-based deployment

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

Code of Conduct

boring-cyborg[bot] commented 3 months ago

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

Taragolis commented 3 months ago

Not possible until we could migrate to the Connexion 3, see: https://github.com/apache/airflow/issues/35234 There are couple of attempt to resolve it and no one is successful.

root@fc8180a24c0c:/opt/airflow# pipdeptree --package Werkzeug -r
Werkzeug==2.2.3
├── apache-airflow==2.10.0.dev0 [requires: Werkzeug>=2.0,<3]
├── connexion==2.14.2 [requires: Werkzeug>=1.0,<2.3]
│   └── apache-airflow==2.10.0.dev0 [requires: connexion>=2.10.0,<3.0]
├── Flask==2.2.5 [requires: Werkzeug>=2.2.2]
│   ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│   ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│   ├── connexion==2.14.2 [requires: Flask>=1.0.4,<2.3]
│   │   └── apache-airflow==2.10.0.dev0 [requires: connexion>=2.10.0,<3.0]
│   ├── Flask-AppBuilder==4.4.1 [requires: Flask>=2,<3.0.0]
│   │   └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│   ├── Flask-Babel==2.0.0 [requires: Flask]
│   │   └── Flask-AppBuilder==4.4.1 [requires: Flask-Babel>=1,<3]
│   │       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│   ├── Flask-Bcrypt==1.0.1 [requires: Flask]
│   ├── Flask-Caching==2.3.0 [requires: Flask]
│   │   └── apache-airflow==2.10.0.dev0 [requires: Flask-Caching>=1.5.0]
│   ├── Flask-JWT-Extended==4.6.0 [requires: Flask>=2.0,<4.0]
│   │   └── Flask-AppBuilder==4.4.1 [requires: Flask-JWT-Extended>=4.0.0,<5.0.0]
│   │       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│   ├── Flask-Limiter==3.7.0 [requires: Flask>=2]
│   │   └── Flask-AppBuilder==4.4.1 [requires: Flask-Limiter>3,<4]
│   │       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│   ├── Flask-Login==0.6.3 [requires: Flask>=1.0.4]
│   │   ├── apache-airflow==2.10.0.dev0 [requires: Flask-Login>=0.6.2]
│   │   └── Flask-AppBuilder==4.4.1 [requires: Flask-Login>=0.3,<0.7]
│   │       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│   ├── Flask-Session==0.5.0 [requires: Flask>=2.2]
│   │   └── apache-airflow==2.10.0.dev0 [requires: Flask-Session>=0.4.0,<0.6]
│   ├── Flask-SQLAlchemy==2.5.1 [requires: Flask>=0.10]
│   │   └── Flask-AppBuilder==4.4.1 [requires: Flask-SQLAlchemy>=2.4,<3]
│   │       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│   └── Flask-WTF==1.2.1 [requires: Flask]
│       ├── apache-airflow==2.10.0.dev0 [requires: Flask-WTF>=0.15]
│       └── Flask-AppBuilder==4.4.1 [requires: Flask-WTF>=0.14.2,<2]
│           └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-AppBuilder==4.4.1 [requires: Werkzeug<4]
│   └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-JWT-Extended==4.6.0 [requires: Werkzeug>=0.14]
│   └── Flask-AppBuilder==4.4.1 [requires: Flask-JWT-Extended>=4.0.0,<5.0.0]
│       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-Login==0.6.3 [requires: Werkzeug>=1.0.1]
│   ├── apache-airflow==2.10.0.dev0 [requires: Flask-Login>=0.6.2]
│   └── Flask-AppBuilder==4.4.1 [requires: Flask-Login>=0.3,<0.7]
│       └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
└── moto==5.0.7 [requires: Werkzeug>=0.5,!=2.2.1,!=2.2.0]
hanleybrand commented 3 months ago

According to https://nvd.nist.gov/vuln/detail/CVE-2024-34069 the vulnerability is the werkzeug debugger -- has anyone looked for or found a way to safely hard disable the debugger in a deployment (i.e. make it so the debugger will not run, even on localhost)?

hanleybrand commented 3 months ago

I can't find evidence that the werkzeug debugger console is accessible inside of an unaltered airflow deployment -- the werkzeug docs say the debugger has to be intentionally enabled by wrapping the application in the DebuggedApplication middleware -- as far as I can search, airflow does not do this.

I believe the temporary way forward for those who need to deploy airflow and are being denied because of security policies is to get a security exception from whoever governs security on the infrastructure you need to deploy to.