CONFSA-2023-10: CVE-2023-46604 - Confluent Platform and Confluent Cloud Vulnerability: Impacted ActiveMQ connector versions are susceptible to Remote Code Execution (RCE) vulnerability when connecting to a malicious broker

Impacted versions:

• Kafka-connect-activemq
  • Any previous versions < version 12.2.3
  • Any previous versions < version 11.0.23
• kafka-connect-activemq-sink: Any previous versions < version 2.1.9

Recommended action: 

• Upgrade to the following connector versions:
  • kafka-connect-activemq >= version 12.2.3 
  • kafka-connect-activemq-sink >= version 2.1.9
• Please note that the vulnerable managed ActiveMQ sink connectors have already been fixed, and no impact to Confluent Cloud systems was observed. No further action is necessary at this time.

Issue:

A security issue was identified to impact both Confluent Platform and Confluent Cloud managed ActiveMQ connectors due to the reliance on vulnerable versions of the library org.apache.activemq:activemq-client affected by CVE-2023-46604. This vulnerability is due to missing type checks in a Java-based OpenWire client, through which an unsuspecting ActiveMQ client running in a connector can be manipulated into instantiating any class on the classpath when connecting to a malicious broker. Under certain circumstances, this vulnerability can lead to remote code execution on the connect worker machine. 

Confluent Platform users are impacted only if the vulnerable ActiveMQ connector versions noted in the section above are installed. To mount a successful attack, an adversary would need required privileges to create/update the vulnerable connector configurations.

Confluent Cloud managed ActiveMQ sink connector version was identified to be vulnerable to CVE-2023-46604. However, no impact to Confluent Cloud systems was observed as a result of this vulnerability. The affected connector has since been upgraded with the appropriate fix and no further actions are necessary.

Remediation: 

Confluent Platform : This issue is resolved in the updated connector versions for use in Confluent Platform:

• ActiveMQ Source Connector
  • >= version 11.0.23
  • >= version 12.2.3
• ActiveMQ Sink Connector
  • >= version 2.1.9

Confluent Cloud : Managed ActiveMQ connector versions in Confluent Cloud were already patched to address this issue. No further action is necessary.

CVSS Score: 9.8

CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1