Impacted Versions
- Confluent Platform versions < 7.5.15, 7.6.12, 7.7.10, 7.8.9, 7.9.8
Recommended Action
- Upgrade to Confluent Platform versions 7.5.15, 7.6.12, 7.7.10, 7.8.9, 7.9.8
Issue
A security vulnerability affecting Confluent Platform has been identified, stemming from a flaw in ZooKeeper, a third-party open-source component. Because of this flaw, ZooKeeper servers and clients could be instantiated in a way that allows them to connect to an untrusted ZooKeeper server, potentially resulting in a loss of data confidentiality and integrity.
Mitigation
Upgrade to a fixed Confluent Platform version. If an immediate upgrade isn't feasible, we recommend applying the following hardening measures to significantly reduce the potential for exploitation:
- Ensure that the Confluent Platform Infrastructure is configured to use customer-controlled DNS servers that are authoritative for the zones containing the ZooKeeper servers' hostnames.
- Restrict the ZooKeeper truststore so that it contains only the private Certificate Authority bundles for Zookeeper and Kafka.
Remediation
Upgrade to Confluent Platform version: 7.5.15, 7.6.12, 7.7.10, 7.8.9, 7.9.8.
CVSS Scores
- Original: 7.4 (CVSS v3.1 Calculator)
- Adjusted: 5.7 (Adjusted CVSS v3.1 Calculator)