CVE Reference: CVE-2022-34917
CVSS Score: 7.5
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
Impacted versions:
- Confluent Platform versions <= 5.4.8, 5.5.10, 6.0.8, 6.1.6, 6.2.5, 7.0.4, 7.1.2, 7.2.0
- Confluent Cloud
Recommended action:
- Update to the latest available Confluent Platform versions 5.4.10, 5.5.12, 6.0.10, 6.1.8, 6.2.7, 7.0.6, 7.1.4, 7.2.2
- Managed Kafka clusters in Confluent Cloud have already been patched, and no further action is necessary.
Issue:
A security vulnerability was recently identified in Apache Kafka that also impacts listed Kafka versions in Confluent Platform and Confluent Cloud.
It is possible for malicious Kafka clients to send requests to Kafka that are marked with an arbitrarily large size as defined in the first few bytes of the impacted primitives. Due to the lack of validation related to available memory, such clients can allocate large amounts of memory on the Kafka brokers. This can lead to brokers hitting OutOfMemoryException effectively causing a Denial of Service (DoS) condition on the broker.
Both unauthenticated and authenticated clients are able to impact Kafka brokers as listed below:
- Unauthenticated Kafka clusters: Any client able to establish a network connection to the cluster can trigger the issue
- Kafka cluster setup with SASL authentication: Any client able to establish a network connection to the cluster can trigger the issue, even without presenting valid SASL credentials
- Kafka cluster setup with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue.
Remediation:
Initial fixes related to this vulnerability were added in the last released versions of Confluent platform (i.e versions 5.4.9, 5.5.11, 6.0.9, 6.1.7, 6.2.6, 7.0.5, 7.1.3 and 7.2.1). These fixes ensured the issue was no longer exploitable. An additional fix related to the configurability of maximum size of SASL Authentication requests has been added to the updated Confluent Platform versions 5.4.10, 5.5.12, 6.0.10, 6.1.8, 6.2.7, 7.0.6, 7.1.4 and 7.2.2.
For Confluent Cloud, all managed Kafka Clusters have already been patched.
These fixes adequately address this issue, and are no longer susceptible to Denial of Service conditions.