Impacted versions:
- Confluent Platform versions 7.0.4, 7.1.2
- Confluent Cloud
Recommended action:
- Update to the latest available Confluent Platform versions CP 7.0.5, 7.1.3
- Confluent Cloud managed Kafka clusters have been remediated and no further action is necessary.
Issue:
Cluster Linking enables Confluent Platform and Cloud customers to directly connect clusters and mirror topics from one source cluster to another destination cluster. The cluster links use source authentication credentials configured on the source link to authenticate with the source cluster.
For source-initiated cluster link configurations (released in Confluent Platform versions >= 7.0.0), the source cluster’s API secret is not marked as sensitive and is thus returned in plaintext to users that describe the source-link under the following conditions:
- Users that are assigned cluster ACLs with the DescribeConfigs permissions on the source cluster
- Users that are assigned the AuditAdmin or DeveloperManage roles leveraging Role-based access controls
Remediation:
We have included fixes in the updated Confluent Platform versions 7.0.5 and 7.1.3, and in all Confluent Cloud managed Kafka clusters. These fixes adequately address this issue, as the sensitive parameters are no longer returned while describing source cluster links.
CVSS Score: 6.5
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N&version=3.1