CVE-2024-27317 Overview
CVE-2024-27317 is a directory traversal vulnerability in Apache Pulsar Functions Worker. Authenticated users can upload functions packaged as jar or nar files, which the Functions Worker extracts as zip archives. The worker fails to validate filenames inside the archive, allowing entries containing .. path elements to write files outside the designated extraction directory. The flaw also affects the Pulsar Broker when configured with functionsWorkerEnabled=true. An authenticated attacker can create or overwrite files on the host, influencing system behavior and potentially achieving code execution.
Critical Impact
An authenticated attacker can write arbitrary files outside the extraction directory across the broker host, leading to integrity compromise and possible remote code execution.
Affected Products
- Apache Pulsar 2.4.0 through 2.10.5
- Apache Pulsar 2.11.0 through 2.11.3
- Apache Pulsar 3.0.0 through 3.0.2, 3.1.0 through 3.1.2, and 3.2.0
Discovery Timeline
- 2024-03-12 - CVE-2024-27317 published to NVD
- 2025-01-19 - Last updated in NVD database
Technical Details for CVE-2024-27317
Vulnerability Analysis
Apache Pulsar Functions Worker accepts user-uploaded function packages in jar or nar format. Both formats are zip-based archives. During deployment, the worker extracts the archive contents to a working directory on the broker or worker host. The extraction logic iterates over zip entries and writes each entry to disk using the filename declared inside the archive. The worker does not canonicalize the resulting path or verify that it remains within the target extraction directory.
This class of flaw is tracked as [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. The issue extends to the Pulsar Broker process when functionsWorkerEnabled=true, expanding the attack surface to any deployment running an embedded worker.
Root Cause
The root cause is missing validation of zip entry names during archive extraction. Archive entries containing relative path traversal sequences such as ../../etc/cron.d/payload are written verbatim. The extraction routine resolves these traversal sequences against the destination directory, allowing writes to arbitrary filesystem locations writable by the broker process user.
Attack Vector
Exploitation requires an authenticated session with permission to upload Pulsar Functions. The attacker crafts a malicious jar or nar package containing zip entries with names embedding .. segments. The attacker submits the package through the Functions API. When the Functions Worker extracts the archive, the traversal entries place attacker-controlled files outside the function workspace, for example into systemd unit directories, application configuration paths, or executable lookup directories. Subsequent process execution or scheduled tasks invoke the planted files.
No verified public proof-of-concept code is available. Refer to the Apache Pulsar CVE-2024-27317 advisory for technical specifics.
Detection Methods for CVE-2024-27317
Indicators of Compromise
- Files appearing outside the Functions Worker extraction directory with timestamps matching function deployment events.
- Unexpected jar or nar uploads in Functions Worker logs from accounts that do not normally deploy functions.
- New or modified files in sensitive directories such as /etc/, cron paths, or service unit directories owned by the broker process user.
Detection Strategies
- Inspect Pulsar Functions Worker logs for archive upload events and correlate with filesystem write activity outside expected paths.
- Run static inspection of stored function archives, listing entries with unzip -l and flagging any name containing ...
- Audit broker hosts for files created by the Pulsar service account outside the configured functionsDirectory.
Monitoring Recommendations
- Enable filesystem integrity monitoring on the broker host for system directories and Pulsar configuration paths.
- Capture and retain Functions API access logs, including the authenticated principal and uploaded package hashes.
- Alert on Pulsar process file writes outside the designated function workspace directory.
How to Mitigate CVE-2024-27317
Immediate Actions Required
- Upgrade Apache Pulsar to a patched release immediately: 2.10.6, 2.11.4, 3.0.3, 3.1.3, or 3.2.1 or later.
- Restrict Pulsar Functions upload permissions to a minimal set of trusted operator accounts.
- Review broker hosts for files written outside the expected extraction directory and remove any unauthorized artifacts.
Patch Information
Apache published fixes in the following release lines: 2.10.x users should upgrade to at least 2.10.6, 2.11.x to 2.11.4, 3.0.x to 3.0.3, 3.1.x to 3.1.3, and 3.2.x to 3.2.1. Patch details are documented in the Apache Pulsar Security Advisory and the Apache Mailing List Discussion.
Workarounds
- Disable the embedded Functions Worker on brokers by setting functionsWorkerEnabled=false where functions are not required.
- Enforce strict authentication and authorization policies so only vetted principals hold the functions permission on namespaces.
- Run the Pulsar broker and Functions Worker under a dedicated low-privilege user with restricted write access to system directories.
# Configuration example: disable embedded Functions Worker on the broker
# /conf/broker.conf
functionsWorkerEnabled=false
# Or restrict Functions permissions at the namespace level
bin/pulsar-admin namespaces grant-permission public/default \
--role trusted-deployer \
--actions functions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
