Impacted Versions
- Confluent Platform versions <= 7.5.3, <= 7.4.4, <= CP 7.3.7, <= CP 7.2.9, <= CP 7.1.11, <=CP 7.0.13, <= CP 6.2.14, <= CP 6.1.15. Please note that very specific configurations (as noted in the description below) need to be enabled that are not configured by default in Confluent Platform even in the noted impacted versions.
Recommended Action
- Upgrade to CP 7.5.3, 7.4.4, 7.3.7, 7.2.9, 7.1.11, 7.0.13, 6.2.14, 6.1.15
Issue
A security issue was discovered in Confluent Platform due to the reliance on vulnerable Zookeeper versions 3.4.x and 3.6.x that have been identified to be affected by CVE-2023-44981. Please note that Confluent Platform’s default configurations are not impacted. Only Zookeeper deployments with non-default configurations as noted below are impacted:
- SASL Quorum Peer authentication enabled (quorum.auth.enableSasl=true) and;
- Dynamic reconfiguration enabled
This flaw is due to the way the Zookeeper validates the Kerberos identities. An unauthorized actor could bypass the authorization check and join the Zookeeper Cluster. After joining the Zookeeper Quorum an unauthorized malicious actor could propagate changes leading to gaining a read / write access to the data tree, thus resulting in complete loss of confidentiality, integrity, and availability of the data.
Remediation
This issue is resolved in the CP patch release versions CP 7.5.3, 7.4.4, 7.3.7, 7.2.9, 7.1.11, 7.0.13, 6.2.14, 6.1.15. These fixes adequately address this issue by upgrading the vulnerable Zookeeper version to 3.8.3.
CVSS Score: 7.1
CVSS v3.1 Calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1