Impacted versions
- Confluent Platform versions 5.5.0-5.5.14, 6.0.0-6.0.12, 6.1.0-6.1.10, 6.2.0-6.2.9, 7.0.0-7.0.8, 7.1.0-7.1.6, 7.2.0-7.2.4, 7.3.0-7.3.2. By default, these versions are not vulnerable unless Confluent Platform logging configurations are overridden and the log level is set to Debug.
- There is no impact to Confluent Cloud due to appropriate logging levels configured for managed Confluent Kafka clusters.
Issue
Multiple Debug level logging statements were identified in Confluent Platform that would result in either sensitive client credentials or underlying Confluent Kafka HTTP REST based requests to be logged that may also include sensitive parameters. The security issue only manifests when the logging level is set to Debug level. As a result, any instantiation of Confluent Platform components with Debug level enabled can result in un-obfuscated sensitive information to be displayed in standard output and exposed to any downstream logging pipelines.
Remediation
We have included fixes in the updated Confluent Platform versions 5.5.15, 6.0.13, 6.1.11, 6.2.10, 7.0.9, 7.1.7, 7.2.5, 7.3.3. These fixes adequately address this issue, as the vulnerable Debug level logging statement was refactored to remove sensitive values.
We also advise all the Confluent Platform users to validate logging configurations and ensure that log level is set above Debug level, especially in Production configurations.
CVSS Score
4.4