[jira] [Commented] (KAFKA-14696) CVE-2023-25194: Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect

MillieZhang (Jira) Fri, 10 Feb 2023 00:07:03 -0800


    [ 
https://issues.apache.org/jira/browse/KAFKA-14696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17686925#comment-17686925
 ]


MillieZhang commented on KAFKA-14696:
-------------------------------------

As you said, I'm going to fix this by turning the commit 
ae22ec1a0ea005664439c3f45111aa34390ecaa1 of 3.4 into the 2.8 branch. Are there 
any other suggestions for repair this on 2.8 ?

> CVE-2023-25194: Apache Kafka: Possible RCE/Denial of service attack via SASL 
> JAAS JndiLoginModule configuration using Kafka Connect
> -----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-14696
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14696
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 2.8.1, 2.8.2
>            Reporter: MillieZhang
>            Priority: Major
>             Fix For: 3.4.0
>
>
> CVE Reference: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34917]
>  
> Will Kafka 2.8.X provide a patch to fix this vulnerability?
> If yes, when will the patch be provided?
>  
> Thanks



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (KAFKA-14696) CVE-2023-25194: Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect

Reply via email to