You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ma...@apache.org on 2023/02/07 18:10:39 UTC
[kafka-site] branch asf-site updated: MINOR: Update CVE-2023-25194 details
This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new fb8884f0 MINOR: Update CVE-2023-25194 details
fb8884f0 is described below
commit fb8884f02ff34bf71ea47fa692a38b9a2f58ceae
Author: Manikumar Reddy <ma...@gmail.com>
AuthorDate: Tue Feb 7 21:30:13 2023 +0530
MINOR: Update CVE-2023-25194 details
---
cve-list.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index 9bba9137..01f6cc17 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,57 @@
This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
+ <h2 id="CVE-2023-25194"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-25194">CVE-2023-25194</a> Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect </h2>
+
+ <p>A possible security vulnerability has been identified in Apache Kafka Connect.
+ This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config
+ and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0. This will allow to perform JNDI requests
+ that result in Denial of service/remote code execution.
+ </p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>2.3.0 - 3.3.2</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.4.0</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config`
+ property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the
+ `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br>
+
+ This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use
+ to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data
+ (or) RCE vulnerability when there are gadgets in the classpath.<br>
+ </td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box
+ configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector
+ client override policy that permits them.<br>
+
+ Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage
+ in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0.<br>
+
+ We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for
+ vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,
+ in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector
+ client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.<br>
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>8 Feb 2023</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2 id="CVE-2022-34917"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917">CVE-2022-34917</a> Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
<p>This CVE identified a flaw where it allows the malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and