Security Issues
Apache SeaTunnel Security
If you have apprehensions regarding SeaTunnel’s security or you discover vulnerability or potential threat, don’t hesitate to get in touch with the Apache Security Team by dropping a mail at security@apache.org. In the mail, specify the project name SeaTunnel with the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The security team and the SeaTunnel community will get back to you after assessing and analysing the findings.
Before using SeaTunnel, please review the usage documentation to ensure you understand the purpose and impact of each operation.
In seatunnel-web, it's up to the system administrator to handle user authentication. Once a user is logged in, they get full access to the system. seatunnel-web won’t perform any extra security checks when calling third-party SDKs.
The same goes for seatunnel-zeta: any client that has been authenticated will have full access. System don’t do additional security checks when those client connections interact with third-party SDKs.
PLEASE PAY ATTENTION to report the security issue on the security email before disclosing it on public domain.
Frequently Asked Questions
During a security analysis of SeaTunnel, I noticed that SeaTunnel allows for remote code execution, is this an issue?
Apache SeaTunnel is a framework for executing user-supplied code and config in clusters. Users can submit code to SeaTunnel processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible.
Historically, we’ve received numerous remote code execution vulnerability reports, which we had to reject, as this is by design.
We strongly discourage users to expose SeaTunnel processes to the public internet. Within company networks or “cloud” accounts, we recommend restricting access to a SeaTunnel cluster via appropriate means.