Impacted versions: 1.21 (released November 20, 2020), 1.22, and 1.23
Recommended action: Update the Confluent Cloud CLI tool to version 1.25.
The Confluent Cloud CLI tool, known as ccloud
, contained a vulnerability that resulted in the transmission of Confluent API keys and secrets to a third party data analytics service when users entered an API secret as an argument to the tool.
The third party service is a vendor used by Confluent to collect metrics and usage data for analysis. Previous versions of the CLI tool employed filtering to prevent the transmission of API keys and secrets.
As part of our incident response, we immediately instructed the third party service to stop collection of ccloud analytics data and to delete all such data from its systems. We also released a new version of ccloud, version 1.25, which does not have this vulnerability.
We have analyzed the data sent to the third party service and identified customer accounts from whom API keys and secrets have been sent. We have notified those customers. Our initial investigation has revealed no evidence of misuse of the API keys or secrets or any compromise of customer data.
We urge all customers to update the Confluent Cloud CLI tool to version 1.25. If you already have ccloud installed, the simplest way is to log in to the Confluent Cloud CLI and run the following command:
ccloud update
Credits
David Best of CyberCX