Impacted Versions
-
Confluent Kafka Community Version 8.1.0, 8.1.1 configured with
sasl.enabled.mechanisms=OAUTHBEARER
Please note: This CVE and associated advisory does not impact Confluent Platform or managed Confluent Cloud Kafka clusters.
Recommended Action
- Upgrade to Confluent Kafka Community Version 8.1.2
Issue
A security issue has been identified to impact Confluent Kafka Community Version caused by a flaw in JWT validation. This issue could allow an unauthorized user to bypass authentication and ACL-based authorization.
Mitigation
Upgrade to Confluent Kafka Community Version 8.1.2. If an immediate upgrade is not possible, apply one of the temporary workarounds below:
- Explicitly set the validator class to BrokerJwtValidator:
sasl.oauthbearer.jwt.validator.class=org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator- Switch to an alternative SASL mechanism such as PLAIN (over TLS), SCRAM-SHA-256, SCRAM-SHA-512, or GSSAPI (Kerberos) until the upgrade can be performed.
Remediation
Upgrade to Confluent Kafka Community Version 8.1.2
Original CVSS Score:
9.1 (CVSS 3.1 calculator)
Adjusted CVSS Score:
8.1 (CVSS v3.1 Calculator)