Описание
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.
Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0
A flaw was found in org.apache.kafka. The JndiLoginModule within the SASL authentication mechanism allows remote code execution and denial of service when misconfigured. This flaw allows an attacker to provide a malicious JNDI URI within the Kafka broker's configuration, permitting arbitrary code execution on the affected system.
Отчет
No Red Hat products or offerings are affected by this vulnerability. This vulnerability is categorized as Important rather than Moderate due to its potential to enable remote code execution (RCE) or denial of service (DoS) in a core component of Apache Kafka—its brokers—under certain but realistic conditions. While exploitation requires AlterConfigs permission and network access to the Kafka cluster, these privileges are commonly granted to administrative or automation accounts in real-world deployments. The core issue arises from unsafe JAAS configuration allowing the use of JndiLoginModule, which can trigger JNDI lookups and result in arbitrary code execution if a malicious LDAP or RMI server is referenced. Given Kafka's central role in data pipelines and real-time processing systems, a successful exploit could lead to a full cluster compromise, service disruption, or even lateral movement within a network.
Меры по смягчению последствий
To mitigate this flaw, disable the problematic login module's usage in the SASL JAAS configuration using the system property, "-Dorg.apache.kafka.disallowed.login.modules".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | kafka-clients | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | kafka_2.11 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | kafka-clients | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-dispatcher-rhel8 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-kafka-controller-rhel8 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-post-install-rhel8 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-receiver-rhel8 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-webhook-kafka-rhel8 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-eventing-istio-controller-rhel8 | Not affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | quarkus-camel-bom | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0
In CVE-2023-25194, we announced the RCE/Denial of service attack via S ...
Apache Kafka Deserialization of Untrusted Data vulnerability
Уязвимость диспетчера сообщений Apache Kafka, связанная с недостатками механизма десериализации, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
8.8 High
CVSS3