Impacted Versions
- Confluent Platform versions < 7.5.15, 7.6.12, 7.7.10,7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2
- Confluent Cloud managed clusters
Recommended Action
- Upgrade to Confluent Platform versions 7.5.15, 7.6.12, 7.7.10,7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2
- Confluent Cloud: No action needed since the issue has been already remediated in Confluent Cloud
Issue
A security vulnerability affecting both Confluent Platform and Confluent Cloud has been identified, caused by improper handling of compressed data schemas. As a result of this flaw, processing a maliciously crafted schema can cause memory exhaustion in the Schema Registry, leading to a potential loss of availability.
Mitigation
Until you are able to upgrade and enable the size-limit filter, you can reduce your exposure by enforcing a maximum request body size at an upstream reverse proxy, load balancer, or API gateway placed in front of Schema Registry (for example, client_max_body_size in nginx). You should also restrict network access to the schema registration endpoints so that only trusted clients can reach them, and require authentication wherever possible.
Remediation
Please upgrade to Confluent Platform versions 7.5.15, 7.6.12, 7.7.10,7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2, and set up two new configuration directives:
- size.limit.filter.enabled — enables the filter. The default value is false to preserve backwards compatibility, which does not provide protection by default.
- size.limit.filter.max.request.body.size — the maximum allowed request body size, in bytes (recommended starting value: 1048576, i.e. 1 MB).
CVSS Scores
- Confluent Platform: 5.7 (CVSS v3.1 Calculator)
- Confluent Cloud: 8.6 (CVSS v3.1 Calculator)
Acknowledgement
This vulnerability was responsibly reported and disclosed by Oleh Konko of 1seal.