Impacted versions:
- Confluent Platform < 8.2.1, 8.1.3, 8.0.5, 7.9.7, 7.8.8, 7.7.9, 7.6.11, 7.5.14, 7.4.15
- Confluent Cloud ksqlDB managed clusters
Recommended action:
- Confluent Cloud customers do not need to take any action. Confluent has patched all impacted ksqlDB managed clusters.
- Confluent Platform customers should upgrade to the latest patched release versions.
Issue:
Multiple remote code execution (RCE) vulnerabilities have been identified in ksqlDB's runtime code generation layer.
ksqlDB uses an embedded Java compiler (Janino) to compile and execute SQL expressions at runtime. Due to insufficient sanitization of user-supplied SQL identifiers when embedded into generated Java code, an authenticated user can craft SQL queries that inject arbitrary Java code into the compilation pipeline. The injected code is then executed on the ksqlDB server during query evaluation.
Authenticated users with privileges to execute ksqlDB queries can inject arbitrary code through embedded SQL identifiers, including STRUCT field names, lambda expressions, CAST expressions, and schema-derived field names. Successful exploitation results in arbitrary code execution on the ksqlDB cluster.
Remediation:
-
Confluent Platform
- This issue is resolved in the following versions of Confluent Platform: 8.2.1, 8.1.3, 8.0.5, 7.9.7, 7.8.8, 7.7.9, 7.6.11, 7.5.14, 7.4.15.
-
Confluent Cloud
- Confluent Cloud managed clusters have already been patched and no further action is necessary.
CVSS Scores:
-
Confluent Cloud:
- CVSS: 9.1 (CVSS v3.1 Calculator)
-
Confluent Platform:
- CVSS: 8.4 (CVSS v3.1 Calculator)