![]() This uses a VM instance template that Google maintains. ![]() When a Dataflow job is launched, what basically happens is that Google spins up VMs using Compute Engine with a managed instance group. For Apache Beam, there is an SDK for Java, Python, and Go with Java being the primary SDK which has the most support. This allows developers to focus less on how to scale their code. Dataflow then handles things like consuming and windowing data, spinning up worker nodes, and moving data bundles between nodes for processing. It allows a developer to write code using Apache Beam's SDK and run it on Dataflow. Dataflow Overviewĭataflow is a runner for Apache Beam. Ultimately, Google paid me $3133.70 as a reward for reporting the vulnerability. This was reported to Google under their vulnerability reward program (VRP) for Google Cloud. Later that week, I spun up Dataflow in my personal Google Cloud account and started digging.Īfter some work, I identified an unauthenticated Java JMX service running on Dataflow nodes that, under certain circumstances, would be exposed to the Internet allowing unauthenticated remote code execution as root, in an unprivileged container, on the target Dataflow node. Prior to that experience I hadn't thought much about what was happening on the worker node, so I made a mental reminder to dig into Dataflow as a possible exploit vector into Google Cloud. Earlier this year, I was debugging an error in Dataflow, and as part of that process, I dropped into the worker node via SSH and began to look around.
0 Comments
Leave a Reply. |