This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new fb8884f0 MINOR: Update CVE-2023-25194 details
fb8884f0 is described below
commit fb8884f02ff34bf71ea47fa692a38b9a2f58ceae
Author: Manikumar Reddy <[email protected]>
AuthorDate: Tue Feb 7 21:30:13 2023 +0530
MINOR: Update CVE-2023-25194 details
---
cve-list.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index 9bba9137..01f6cc17 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,57 @@
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+ <h2 id="CVE-2023-25194"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-25194";>CVE-2023-25194</a>
Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule
configuration using Kafka Connect </h2>
+
+ <p>A possible security vulnerability has been identified in Apache Kafka
Connect.
+ This requires access to a Kafka Connect worker, and the ability to
create/modify connectors on it with an arbitrary Kafka client SASL JAAS config
+ and a SASL-based security protocol, which has been possible on Kafka
Connect clusters since Apache Kafka 2.3.0. This will allow to perform JNDI
requests
+ that result in Denial of service/remote code execution.
+ </p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>2.3.0 - 3.3.2</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.4.0</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>When configuring the connector via the Kafka Connect REST API,
an authenticated operator can set the `sasl.jaas.config`
+ property for any of the connector's Kafka clients to
"com.sun.security.auth.module.JndiLoginModule", which can be done via the
+ `producer.override.sasl.jaas.config`,
`consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config`
properties.<br>
+
+ This will allow the server to connect to the attacker's LDAP
server and deserialize the LDAP response, which the attacker can use
+ to execute java deserialization gadget chains on the Kafka connect
server. Attacker can cause unrestricted deserialization of untrusted data
+ (or) RCE vulnerability when there are gadgets in the classpath.<br>
+ </td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>Since Apache Kafka 3.0.0, users are allowed to specify these
properties in connector configurations for Kafka Connect clusters running with
out-of-the-box
+ configurations. Before Apache Kafka 3.0.0, users may not specify
these properties unless the Kafka Connect cluster has been reconfigured with a
connector
+ client override policy that permits them.<br>
+
+ Since Apache Kafka 3.4.0, we have added a system property
("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic
login modules usage
+ in SASL JAAS configuration. Also by default
"com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka
3.4.0.<br>
+
+ We advise the Kafka Connect users to validate connector
configurations and only allow trusted JNDI configurations. Also examine
connector dependencies for
+ vulnerable versions and either upgrade their connectors, upgrading
that specific dependency, or removing the connectors as options for
remediation. Finally,
+ in addition to leveraging the
"org.apache.kafka.disallowed.login.modules" system property, Kafka Connect
users can also implement their own connector
+ client config override policy, which can be used to control which
Kafka client properties can be overridden directly in a connector config and
which cannot.<br>
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>8 Feb 2023</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2 id="CVE-2022-34917"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917";>CVE-2022-34917</a>
Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
<p>This CVE identified a flaw where it allows the malicious
unauthenticated clients to allocate large amounts of memory on brokers. This
can lead to brokers hitting OutOfMemoryException and
