Impacted versions:
- All currently available versions of Confluent Platform deployed using the Confluent Operator in SASL Plain mode in the default configuration.
Recommended actions:
- Upgrade Confluent Operator to versions 2.9.7, 2.10.3, 2.11.3, 3.0.1 or later .
- Post upgrade ,follow the steps listed in the remediation section to rotate the weak default hard-coded credential
Issue:
When a CFK cluster is created using SASL_SSL with the PLAIN mechanism, and no additional JAAS configuration is provided, CFK will silently generate a principal (user) named "operator" with a weak, hardcoded password.
Impact to Confluent Platform:
Confluent Platform instances deployed with the Confluent Operator using the default SASL_SSL and PLAIN mechanism configuration are impacted. In this setup, if customers haven’t applied custom security settings, a hardcoded weak password may be present.
An attacker with knowledge of the default hard-coded password with network reachability to the broker could gain unauthorized access. A successful attack would result in the compromise of the confidentiality, integrity, and availability of customer data accessible through the brokers.
Remediation:
Customers should update their running clusters to remove the hardcoded credentials. Please follow the knowledge base article available at Confluent Support Portal. Applying this fix may require up to two full cluster rolls.
CVSS v3.1 Score:
8.0