Описание
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
A flaw was found in Strimzi, specifically within the Kafka Connect and Kafka MirrorMaker 2 operands. When a chain of multiple Certificate Authority (CA) certificates is configured for trusted certificates, the system incorrectly trusts all certificates in the chain individually, rather than only the final CA. This vulnerability could allow an attacker to present a server certificate signed by an intermediate CA in the chain, which would be improperly accepted by the affected operand, potentially leading to a bypass of intended certificate validation and unauthorized access or information disclosure.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| streams for Apache Kafka 2 | io.strimzi-strimzi | Fix deferred | ||
| streams for Apache Kafka 2 | io.strimzi-strimzi-drain-cleaner | Fix deferred | ||
| streams for Apache Kafka 3 | io.strimzi-strimzi | Fix deferred | ||
| streams for Apache Kafka 3 | io.strimzi-strimzi-drain-cleaner | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
EPSS
5.9 Medium
CVSS3