Impacted Versions
-
- kafka-connect-jdbc Any previous version lesser than versions 10.7.3, 10.6.5, 10.5.9, 10.4.7, 10.3.9, 10.2.14, 10.1.14, 10.0.17
- kafka-connect-netezza Any previous version lesser than version 1.0.3
- kafka-connect-azure-sql-dw Any previous version lesser than version 1.0.5
Recommended Action
- Upgrade to the following Connector versions:
- kafka-connect-jdbc: 10.7.3, 10.6.5, 10.5.9, 10.4.7, 10.3.9, 10.2.14, 10.1.14, 10.0.17
- kafka-connect-netezza: 1.0.3
- kafka-connect-azure-sql-dw: 1.0.5
- Managed connectors in Confluent Cloud have never been impacted by this vulnerability and no further action is necessary.
Issue
A security issue was discovered in Confluent-built kafka-connect-jdbc, kafka-connect-netezza, kafka-connect-azure-sql-dw impacted connector versions noted above. These impacted connector versions are vulnerable to Remote Code Execution (RCE) via user-provided JDBC URL due to a flaw in a dependency org.xerial.sqlite-jdbc vulnerable to CVE-2023-32697. Confluent Platform users are affected only if the impacted connector versions are installed. To mount a successful attack, an adversary would need access to the Connect REST APIs in order to repeatedly configure and reload the vulnerable connectors.
Please note that this issue has never impacted any managed connectors running in Confluent Cloud.
Remediation
We have included fixes in the updated connector versions: kafka-connect-jdbc 10.7.3, 10.6.5, 10.5.9, 10.4.7, 10.3.9, 10.2.14, 10.1.14, 10.0.17, kafka-connect-netezza 1.0.3, kafka-connect-azure-sql-dw 1.0.5 that are compatible with all supported Confluent Platform versions. These fixes adequately address the RCE vulnerability by upgrading to the safesqlite_jdbc version 3.41.2.2 or in some cases completely removing the vulnerable sqlite_jdbc dependency from the impacted connector versions.