[
https://issues.apache.org/jira/browse/FLUME-3470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Deepak Garg updated FLUME-3470:
-------------------------------
Description:
*Security Vulnerability Details*
*CVE-2023-25194*
*Explanation*
The Apache {{kafka-clients}} package is vulnerable to Remote Code Execution
(RCE). The {{load()}} and {{defaultContext()}} methods in the {{JaasContext}}
class fail to provide a mechanism for disallowing dangerous authentication
modules. Consequently, since Kafka deserializes the responses it receives from
configured LDAP servers, modules such as
{{com.sun.security.auth.module.JndiLoginModule}} may be leveraged to cause
Kafka to deserialize responses into arbitrary classes that exist on the
classpath. A remote attacker with access to a Kafka Connect worker who can
configure connectors via the Kafka Connect REST API can exploit this
vulnerability to execute malicious code on an affected Kafka server.
{_}Advisory Deviation Notice{_}: The Sonatype security research team discovered
that this vulnerability was introduced in version {{0.10.2.0}} and not
{{2.3.0}} as stated in the advisory.
*Detection*
The application is vulnerable by using this component.
*Recommendation*
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue. In addition to upgrading, the project advises users take
the following measures:
{quote}We advise the Kafka Connect users to validate connector configurations
and only allow trusted JNDI configurations. Also examine connector
dependencies for vulnerable versions and either upgrade their
connectors, upgrading that specific dependency, or removing the
connectors as options for remediation. Finally, in addition to leveraging the
"org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users
can also implement their own connector client config override policy, which can
be used to control which Kafka client properties can be overridden directly
in a connector config and which cannot.
{quote}
Reference: [https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz]
Note: If this component is included as a bundled/transitive dependency of
another component, there may not be an upgrade path. In this instance, we
recommend contacting the maintainers who included the vulnerable package.
Alternatively, we recommend investigating alternative components or a potential
mitigating control.
*Version Affected*
[0.10.2.0,3.3.2]
was:
*Security Vulnerability Details*
*CVE-2023-25194*
> Upgrade Kafka-clients jar to 3.4.0
> ----------------------------------
>
> Key: FLUME-3470
> URL: https://issues.apache.org/jira/browse/FLUME-3470
> Project: Flume
> Issue Type: Improvement
> Environment: RHEL7
> Hadoop 3
> flume 1.11.0
>
> Reporter: Deepak Garg
> Priority: Major
> Labels: pull-request-available
>
> *Security Vulnerability Details*
> *CVE-2023-25194*
>
> *Explanation*
> The Apache {{kafka-clients}} package is vulnerable to Remote Code Execution
> (RCE). The {{load()}} and {{defaultContext()}} methods in the {{JaasContext}}
> class fail to provide a mechanism for disallowing dangerous authentication
> modules. Consequently, since Kafka deserializes the responses it receives
> from configured LDAP servers, modules such as
> {{com.sun.security.auth.module.JndiLoginModule}} may be leveraged to cause
> Kafka to deserialize responses into arbitrary classes that exist on the
> classpath. A remote attacker with access to a Kafka Connect worker who can
> configure connectors via the Kafka Connect REST API can exploit this
> vulnerability to execute malicious code on an affected Kafka server.
> {_}Advisory Deviation Notice{_}: The Sonatype security research team
> discovered that this vulnerability was introduced in version {{0.10.2.0}} and
> not {{2.3.0}} as stated in the advisory.
> *Detection*
> The application is vulnerable by using this component.
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue. In addition to upgrading, the project advises users
> take the following measures:
> {quote}We advise the Kafka Connect users to validate connector configurations
> and only allow trusted JNDI configurations. Also examine connector
> dependencies for vulnerable versions and either upgrade their
> connectors, upgrading that specific dependency, or removing the
> connectors as options for remediation. Finally, in addition to leveraging the
> "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect
> users
> can also implement their own connector client config override policy, which
> can
> be used to control which Kafka client properties can be overridden directly
> in a connector config and which cannot.
> {quote}
> Reference: [https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz]
> Note: If this component is included as a bundled/transitive dependency of
> another component, there may not be an upgrade path. In this instance, we
> recommend contacting the maintainers who included the vulnerable package.
> Alternatively, we recommend investigating alternative components or a
> potential mitigating control.
> *Version Affected*
> [0.10.2.0,3.3.2]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
