Impacted Versions
- Confluent Platform versions <= 7.4.13, <= 7.5.12, <= 7.6.9,<= 7.7.7, <= 7.8.6, <= 7.9.5, <=8.0.3, <= 8.1.1
- Confluent Cloud managed clusters
Recommended Action
- Confluent Platform: Please upgrade to CP versions: 7.4.14, 7.5.13, 7.6.10, 7.7.8, 7.8.7, 7.9.6, 8.0.4, 8.1.2
- Confluent Cloud: Managed Confluent Cloud clusters were identified to be vulnerable to this issue. However, all managed clusters have been upgraded. Please note that no security impact was observed for the impacted clusters. No further action is necessary at this time.
- Rebuild and redeploy any custom Java based Kafka clients that may have been built with Confluent Platform versions <= 7.4.13, <= 7.5.12, <= 7.6.9,<= 7.7.7, <= 7.8.6, <= 7.9.5, <=8.0.3, <= 8.1.1 .
Issue
A security issue was identified to impact both Confluent Platform and Confluent Cloud managed clusters due to a bug in the Apache Kafka producer client. This issue can cause messages to be delivered to incorrect topics under specific timing conditions.
The issue originates from the reuse of a message buffer as part of a performance optimization in the producer client. In rare cases, this buffer reuse can result in messages being misrouted to unintended topics. The likelihood of this issue occurring is extremely low and depends on specific timing conditions.
Mitigation
There are no known temporary workarounds or mitigations.
Remediation
Upgrade to the latest version of Confluent Platform:
- Confluent Platform: This issue is resolved in the CP patch release versions 7.4.14, 7.5.13, 7.6.10, 7.7.8, 7.8.7, 7.9.6, 8.0.4, 8.1.2
- Confluent Cloud: This issue has already been resolved in Confluent Cloud and no further action is necessary.
Original CVSS Score:
Adjusted CVSS Score:
7.7
CVSS v3.1 Calculator:
NVD - CVSS v3.1 Calculator Link
References:
Apache Kafka JIRA: KAFKA-19012