Impacted versions:
- Confluent Platform <= 7.0.14, 7.1.11, 7.2.9, 7.3.8, 7.4.5, 7.5.4, 7.6.1
- Confluent Cloud services were not impacted by this vulnerability.
Recommended action:
- Upgrade to Confluent Platform 7.0.15, 7.1.13, 7.2.11, 7.3.9 ,7.4.6, 7.5.5 , 7.6.2 , 7.7.0
- Managed services in Confluent Cloud have never been impacted by this vulnerability and no further action is necessary.
Issue:
CVE-2024-31141 is a privilege escalation issue that was identified to impact Apache Kafka clients. By default, Apache Kafka includes a number of default config providers that can be instantiated by user provided client configs. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, it is possible to use these ConfigProviders to read arbitrary contents of the filesystem and environment variables.
Confluent Platform ships with the same set of default config provider classes as Apache Kafka. Thus, impacted versions of Confluent Platform are similarly vulnerable to CVE-2024-31141, particularly when accepting untrusted client configurations. An attacker with privileges to update or create new configurations can read environment variables or arbitrary local file system contents depending on the available config provider classes. Apart from the default config providers, availability of any additional custom config provider classes in the classpath could lead to further impact.
Please note that Confluent Cloud was not impacted by this vulnerability. However, as a security hygiene fix, all Confluent Cloud services have been upgraded to the latest fixed versions.
Remediation:
-
Confluent Platform
- This issue is resolved in the following versions of Confluent Platform: 7.0.15, 7.1.13, 7.2.11, 7.3.9, 7.4.6, 7.5.5 , 7.6.2 , 7.7.0
- If immediate upgrades are not possible, customers are advised to leverage below listed workarounds that can help with additional hardening of the Confluent Platform deployment:
- The JVM system property org.apache.kafka.automatic.config.providers can be leveraged to restrict the available config providers or completely disabled using none
- If disabling a provider is not viable, provider specific configurations like allowed.paths and allowlist.pattern can be leveraged to enforce appropriate access
-
Confluent Cloud
- Confluent Cloud services have already been updated for security hygiene purposes and no further action is necessary.
CVSS Score: 6.8
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N&version=3.1