Impacted versions
- Confluent docker images published on April 1, 2022 for versions 5.3.8, CP 5.4.7, CP 5.5.8, CP 6.0.6, CP 6.1.5, CP 6.2.3, CP 7.0.2 and CP 7.1.0
- Confluent Operator docker hub images tagged “6.0.6.0 and 6.1.5.0” including cp-init-container-operator, cp-zookeeper-operator, cp-server-operator, cp-server-connect-operator, cp-ksqldb-server-operator, cp-enterprise-replicator-operator, cp-schema-registry-operator and cp-enterprise-control-center-operator
- Any earlier supported versions of Confluent Platform docker images with a custom Log4j root appender enabled at DEBUG level
Recommended action
- For CP Docker Images: Update to the latest available image versions for CP 5.3.8, CP 5.4.7, CP 5.5.8, CP 6.0.6, CP 6.1.5, CP 6.2.3, 7.0.2 and CP 7.1.0 published on or after April 7, 2022.
- For CP Operator/CFK Images: Update to the latest available tags 6.1.5.1 and 6.0.6.1 for all image references including layered images for cp-init-container-operator, cp-zookeeper-operator, cp-server-operator, cp-server-connect-operator, cp-ksqldb-server-operator, cp-enterprise-replicator-operator, cp-schema-registry-operator and cp-enterprise-control-center-operator
Confluent Platform and Confluent for Kubernetes(or Confluent Operator) include an internal health check utility that helps check if the Confluent Kafka broker is ready or not. A Debug level logging statement was identified that would result in the underlying Confluent Kafka configuration to be logged including sensitive parameters, under the following two conditions:
1. Default configuration for Confluent Platform and Confluent Operator/CFK Docker Images published on April 1, 2022:
Recently, Confluent Platform and Confluent Operator/CFK docker images were released as part of our quarterly patch release updates for Q1 2022. These docker images also included a specific code change to the impacted internal health check utility to be configured with a default Log4J BasicConfigurator based Log4j Appender. The invocation of the BasicConfigurator.configure method by default sets the logger level for this short-lived Java process to Level.DEBUG. As a result, any instantiation of these impacted docker images can result in unobfuscated sensitive information related to Confluent Kafka configurations to be displayed in standard output and exposed to any downstream logging pipelines.
2. A custom Log4J Root appender was configured on Confluent Platform or Confluent Operator/CFK Docker images:
The default configuration for Confluent Platform or Operator component-specific docker images did not have any Log4j appender configured until the latest patch releases mentioned above. As a result, this Debug level logging statement was not impacting older versions of the Confluent Platform releases, unless a custom root level Log4j appender was explicitly configured. If a custom Log4j appender was configured, this could have resulted in unobfuscated sensitive information related to Confluent Kafka configurations to be displayed in standard output and exposed to any downstream logging pipelines.
Remediation
We have included fixes in the updated docker images with the latest images made available for Confluent Platform versions 5.3.8-2, 5.4.7-2-ubi8, 5.4.7-2-deb8, 5.5.8-2-ubi8, 5.5.8-2-deb8, 6.0.6-2-ubi8, 6.1.5-2-ubi8, 6.2.3-2-ubi8, 7.0.2-2-ubi8, 7.1.0-2-ubi8, as well as images related to Confluent Operator / CFK version tags 6.1.5.1 and 6.0.6.1. These fixes adequately address this issue, as the vulnerable debug level logging statement has been removed from the code and the sensitive values in Confluent Kafka configurations are no longer returned.
If you are using a custom Log4j root appender, we also recommend upgrading to the latest version to avoid sensitive configuration data from being logged.
CVSS Score: 6.0
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N&version=3.1