Impacted versions:
- Confluent Platform versions <= 5.4.8, 5.5.10, 6.0.8, 6.1.6, 6.2.5, 7.0.4, 7.1.2, 7.2.0
- Confluent Cloud
Recommended action:
- Update to the latest available Confluent Platform versions CP 5.4.9, 5.5.11, 6.0.9, 6.1.7, 6.2.6, 7.0.5, 7.1.3, 7.2.1
- Managed KSQL clusters in Confluent Cloud are already patched and no further action is necessary
Issue:
The KSQL-Connect integration in Confluent Platform and Confluent Cloud provides functionality to manage and integrate with Connect. This allows customers to leverage the KSQL editor to be able to seamlessly create connectors, describe connectors and import topics created by Connect to KSQL.
By default, KSQL logs incoming requests, including but not limited to the CREATE CONNECTOR statements, which may contain sensitive configuration values such as the Kafka cluster API secret, as well as values related to other connector specific configurations. Such logging could result in such sensitive values getting exposed to downstream logging pipelines.
Remediation:
We have included fixes in Confluent Cloud as well as the updated Confluent Platform versions 5.4.9, 5.5.11, 6.0.9, 6.1.7, 6.2.6, 7.0.5, 7.1.3 and 7.2.1. These fixes adequately address this issue, as the known sensitive configurations are now properly masked within the logger statements.
CVSS Score: 5.6
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N&version=3.1