Impacted versions: Confluent Platform versions 6.2.0, 6.2.1, 6.2.2, 6.2.3, 7.0.0, 7.0.1, 7.0.2, 7.1.0
Recommended action: Update to the latest available Confluent Platform versions CP 6.2.4, 7.0.3 and 7.1.1
The Confluent Platform Metadata Service (MDS) manages a variety of metadata about your Confluent Platform installations. A custom MDS service specific logger was configured in the impacted CP versions to help generate INFO level logs for debugging purposes based on different health checks that are periodically issued from within the Confluent Control Center application, including authenticated health check calls issued to the MDS service.
While there was code present within this logger to remove all sensitive information in the request including the “Authorization” and “Cookie” header and values from being logged, the code was limited to search and drop such sensitive header values only in a case-sensitive manner. An open-source HTTP client library configured within the Control Center application to make the internal service health check requests to MDS, issues GET requests with a lowercase “authorization” named header to be passed to the MDS logger. This results in such lower-case “authorization” header and values to not be dropped, displayed in standard output and exposed to any downstream logging pipelines.
Remediation
We have included fixes in the updated Confluent Platform versions 6.2.4, 7.0.3 and 7.1.1. These fixes adequately address this issue, as the vulnerable INFO level logging statement within MDS logger has been patched to remove sensitive values in a case-insensitive manner, and the sensitive authorization header values are no longer emitted in the logger messages.
CVSS Score: 4.4
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N&version=3.1