low

Dataflow RCE via unauthenticated JMX service

Published Tue, Dec 28th, 2021
Platforms

Summary

Dataflow worker nodes ran an unauthenticated Java Management Extensions (JMX) service that under certain circumstances would be exposed to the Internet, thus allowing unauthenticated remote code execution (RCE) as root in an unprivileged container. The impact of the vulnerability depended on which service account qA assigned to Dataflow worker nodes (by default, that would be the Google Compute Engine default service account, which has the project-wide Editor role assigned).

Affected Services

Dataflow

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Fri, Mar 5th, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Mike Brancato, null