Impacted versions: CP 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 6.0.0, 6.0.1, 6.0.2, 6.1.0
Recommended action: Update Confluent Platform to 5.4.4, 5.5.4, 6.0.3, 6.1.1 or newer versions
Specific Confluent Platform versions were impacted by a security misconfiguration that resulted in a small subset of sensitive configuration property values (as they relate to securing Schema Registry connections) to be returned in response to authenticated and authorized users describing topic or broker configurations using the “DescribeConfigs” API.
While protection mechanisms were in place to prevent other sensitive configuration values from being returned in response to describing actions, the following Schema Registry related SSL configuration values were not protected similarly:
confluent.ssl.keystore.password
confluent.ssl.key.password
confluent.ssl.truststore.password
These values were inadvertently returned in the following conditions:
- Action taken to describe Broker configurations by authenticated users with the “DESCRIBE_CONFIGS” permission on the “CLUSTER” resources (in versions 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 6.0.0, 6.0.1, 6.0.2 and 6.1.0).
Or:
- Action taken to describe Topic configurations by authenticated users with the “DESCRIBE_CONFIGS” permission on any “TOPIC” resources (in versions 5.4.2 and 5.4.3).
We have included fixes in the updated patch release versions 5.4.4, 5.5.4, 6.0.3, 6.1.1 (and newer versions) of Confluent Platform. These fixes adequately address this issue, and the sensitive values are no longer returned in responses pertaining to describing broker or topic configuration actions.
CVSS Score: 4.9
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N&version=3.1