Impacted versions:
- Confluent Platform < 8.2.1, 8.1.3, 8.0.5, 7.9.7, 7.8.8, 7.7.9, 7.6.11, 7.5.14, 7.4.15
- Confluent Cloud ksqlDB managed clusters
Recommended action:
- Confluent Cloud customers do not need to take any action. Confluent has patched all impacted ksqlDB managed clusters.
- Confluent Platform customers should upgrade to the latest patched release versions.
Issue:
The test endpoint (POST /test) in ksqlDB was identified as being vulnerable to remote code execution and arbitrary file read issues.
The POST /test endpoint was designed as an internal development and testing facility for ksqlDB developers. It accepts arbitrary SQL test suites and executes them within a fresh KsqlEngine context, processing SQL test directives through an internal execution engine that bypasses the security validators enforced on all other ksqlDB REST endpoints.
Impact:
The exposure of this endpoint introduces two distinct vulnerabilities:
- Remote Code Execution(RCE): Authenticated users with privileges to submit ksqlDB queries can supply SQL expressions to the test endpoint. These expressions are compiled and executed by the Janino code generation pipeline without the sanitization controls applied to other ksqlDB REST endpoints, resulting in arbitrary code execution on the ksqlDB server.
- Arbitrary File Read: Authenticated users with the same privileges can invoke the RUN SCRIPT directive to read any file from the server pod's filesystem by absolute path, with no path restrictions. File contents are returned in the HTTP error response.
Remediation:
-
Confluent Platform:
- This issue is resolved in the following versions of Confluent Platform: 8.2.1, 8.1.3, 8.0.5, 7.9.7, 7.8.8, 7.7.9, 7.6.11, 7.5.14, 7.4.15.
-
Confluent Cloud:
- Confluent Cloud managed clusters have already been patched and no further action is necessary.
CVSS Scores:
-
Confluent Cloud:
- CVSS: 9.1 (CVSS v3.1 Calculator)
-
Confluent Platform:
- CVSS: 8.4 (CVSS v3.1 Calculator)