Impacted Versions
- Confluent Platform versions 5.5.0-5.5.14, 6.0.0-6.0.12, 6.1.0-6.1.10, 6.2.0-6.2.9, 7.0.0-7.0.8, 7.1.0-7.1.6, 7.2.0-7.2.4, 7.3.0-7.3.2
- Confluent Cloud
Recommended Action
- Update to the latest Confluent Platform versions 5.5.14, 6.0.12, 6.1.10, 6.2.9, 7.0.8, 7.1.6, 7.2.4, 7.3.2 that are now published.
- Confluent Cloud managed ksqlDB clusters have been remediated as of December 12, 2022 and no further action is necessary.
Issue
A security issue was discovered in ksqlDB that affects Confluent Platform and Confluent Cloud. Multiple logging statements were identified that would result in sensitive information related to client provided queries and in some cases ksqlDB session variables to be logged with the default instantiation of ksqlDB as well as in various exception handling cases. As a result, any instantiation of the Confluent Platform ksqlDB component can result in un-obfuscated sensitive information related to client-provided queries or client credentials to be displayed in standard output and exposed to any downstream logging pipelines.
Remediation
We have included fixes in the updated Confluent Platform versions 5.5.15, 6.0.13, 6.1.11, 6.2.10, 7.0.9, 7.1.7, 7.2.5, 7.3.3 and in all Confluent Cloud managed ksqlDB clusters. These fixes adequately address this issue, as the sensitive data related to query information is no longer returned in default and exception cases.
CVSS Score
4.4