Impacted Versions
Confluent Platform versions 7.0.0-7.0.8, 7.1.0-7.1.6, 7.2.0-7.2.4, 7.3.0-7.3.2
Recommended Actions
Update to one of the patched Confluent Platform versions: 7.0.9, 7.1.7, 7.2.5, 7.3.3
Issue
Schema Linking for Confluent Platform keeps schemas in sync across two Schema Registry clusters. A schema exporter is a component that resides in Schema Registry for exporting subjects or contexts (grouping of subjects) from a source Schema Registry cluster to a destination Schema Registry cluster.
Prior to the rollout of RBAC for Schema Linking, RBAC based read restrictions for subjects or contexts could be bypassed using the Schema Linking feature. Without RBAC enforcement, Schema links can be misused by lower-privileged users by creating links that export subjects from a source Schema Registry cluster (where that user is restricted from reading schemas) to any destination Schema Registry cluster where the user has permission to read any subject. RBAC based restrictions on write, delete and update APIs for Schema Registry are not affected by this vulnerability.
Remediation
- Upgrade to the patched versions of Confluent Platform versions: 7.0.9, 7.1.7, 7.2.5, 7.3.3. Note: Any schema links created prior to the upgrade will continue to work as before. Please refer to this document for configuring RBAC based access controls that will be enforced for CRUD operations on schema linking exporters for existing and new schema links. Only ClusterAdmin, SystemAdmin and ResourceOwner (only if scope is Subject = *) roles will be allowed to perform CRUD operations on schema links in patched versions.
- After upgrading to the recommended versions above, we recommend a thorough configuration review of any existing schema links that were created before RBAC rollout of Schema Links in the patched Confluent Platform versions, in order to ensure that subjects or contexts already being exported to a destination cluster meet your access control requirements. Schema Linking APIs can be used to list existing exporters and their configuration.
- If you need to delete or change configuration of a schema link created before upgrading to patched Confluent Platform versions, you can use a user with a role allowed to change or delete schema links using Schema Linking APIs.
- Assign appropriate roles to users and service accounts per your access control requirements for CRUD operations on new Schema Links.
CVSS Score
5.5