You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ma...@apache.org on 2023/02/07 18:10:39 UTC

[kafka-site] branch asf-site updated: MINOR: Update CVE-2023-25194 details

This is an automated email from the ASF dual-hosted git repository.

manikumar pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new fb8884f0 MINOR: Update CVE-2023-25194 details
fb8884f0 is described below

commit fb8884f02ff34bf71ea47fa692a38b9a2f58ceae
Author: Manikumar Reddy <ma...@gmail.com>
AuthorDate: Tue Feb 7 21:30:13 2023 +0530

    MINOR: Update CVE-2023-25194 details
---
 cve-list.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/cve-list.html b/cve-list.html
index 9bba9137..01f6cc17 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,57 @@
 
 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
 
+      <h2 id="CVE-2023-25194"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-25194">CVE-2023-25194</a> Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect  </h2>
+
+      <p>A possible security vulnerability has been identified in Apache Kafka Connect.
+        This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config
+        and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0. This will allow to perform JNDI requests
+        that result in Denial of service/remote code execution.
+        </p>
+
+      <table class="data-table">
+        <tbody>
+        <tr>
+          <td>Versions affected</td>
+          <td>2.3.0 - 3.3.2</td>
+        </tr>
+        <tr>
+          <td>Fixed versions</td>
+          <td>3.4.0</td>
+        </tr>
+        <tr>
+          <td>Impact</td>
+          <td>When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config`
+            property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the
+            `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br>
+
+            This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use
+            to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data
+            (or) RCE vulnerability when there are gadgets in the classpath.<br>
+          </td>
+        </tr>
+        <tr>
+          <td>Advice</td>
+          <td>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box
+            configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector
+            client override policy that permits them.<br>
+
+            Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage
+            in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0.<br>
+
+            We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for
+            vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,
+            in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector
+            client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.<br>
+          </td>
+        </tr>
+        <tr>
+          <td>Issue announced</td>
+          <td>8 Feb 2023</td>
+        </tr>
+        </tbody>
+      </table>
+
       <h2 id="CVE-2022-34917"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917">CVE-2022-34917</a> Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
 
       <p>This CVE identified a flaw where it allows the malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and