This is an automated email from the ASF dual-hosted git repository.
gharris pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 0d8630c84 Add CVE-2024-31141 to CVE list (#645)
0d8630c84 is described below
commit 0d8630c8459439ad3b834a11557a1ad0f09e270c
Author: Greg Harris <[email protected]>
AuthorDate: Mon Nov 18 11:33:29 2024 -0800
Add CVE-2024-31141 to CVE list (#645)
Signed-off-by: Greg Harris <[email protected]>
---
cve-list.html | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index 2566530fe..84f8aff12 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,46 @@
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+ <h2 id="CVE-2024-31141"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31141";>CVE-2024-31141</a> Files
or Directories Accessible to External Parties, Improper Privilege Management
vulnerability in Apache Kafka Clients</h2>
+
+ <p>Apache Kafka Clients accept configuration data for customizing
behavior, and includes ConfigProvider plugins in order to manipulate these
configurations. Apache Kafka also provides FileConfigProvider,
DirectoryConfigProvider, and EnvVarConfigProvider implementations which include
the ability to read from disk or environment variables. </p>
+
+ <p>In applications where Apache Kafka Clients configurations can be
specified by an untrusted party, attackers may use these ConfigProviders to
read arbitrary contents of the disk and environment variables.
+ In particular, this flaw may be used in Apache Kafka Connect to
escalate from REST API access to filesystem/environment access, which may be
undesirable in certain environments, including SaaS products.
+
+ </p>
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>2.3.0 - 3.7.1</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.8.0</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>Contents of disks and environment variables of applications
using Kafka Clients may be leaked to untrusted parties.</td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>
+ <ul>
+ <li>Users with affected applications are recommended to upgrade
kafka-clients to version >=3.8.0, and set the JVM system property
"org.apache.kafka.automatic.config.providers=none".</li>
+ <li>Users of Kafka Connect with one of the listed ConfigProvider
implementations specified in their worker config are also recommended to add
appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation
to appropriate bounds.</li>
+ <li>For users of Kafka Clients or Kafka Connect in environments
that trust users with disk and environment variable access, it is not
recommended to set the system property.</li>
+ <li>For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka
Streams, and Kafka command-line tools, it is not recommended to set the system
property.</li>
+ </ul>
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>18 Nov 2024</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2 id="CVE-2024-27309"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-27309";>CVE-2024-27309</a>
Potential incorrect access control during migration from ZK mode to KRaft
mode</h2>
<p> While an Apache Kafka cluster is being migrated from ZooKeeper mode
to KRaft mode, in some cases ACLs will not be correctly enforced. Two
preconditions are needed to trigger the bug:
