Remote code execution flaw patched in Apache Kafka

New vulnerabilities related to Remote Code Execution (RCE) and denial-of-service have been identified in Kafka Connect.

UPDATED The Apache Software Foundation (ASF) has addressed a critical vulnerability that could allow RCE attacks via Kafka Connect.

This flaw, announced on February 8, is identified as CVE-2023-25194. It was found in Apache Kafka Connect, an open-source tool essential for data integration across different systems and databases.

The ASF indicates that over 80% of Fortune 100 companies utilize Kafka, impacting various sectors including the banking industry.

As noted in a report, the security vulnerability was discovered by bug bounty expert Jari Jääskelä, who reported the issue through Aiven’s HackerOne program, earning a $5,000 reward.

The issue can be exploited when a user has access to a Kafka Connect worker and is permitted to create or modify worker connectors using arbitrary Kafka client SASL JAAS configurations and SASL security protocols.

Log4Shell Connection

The flaw involves LDAP and JNDI endpoints, reminiscent of the infamous ‘Log4Shell’ vulnerability discovered in the Java logging library Apache Log4j. JNDI is also implicated in another critical vulnerability recently found in Apache Sling JCR Base.

In the case of this Kafka bug, an authenticated attacker could specify a connector property through either the Aiven API or the Kafka Connect REST API, compelling a worker to connect to a malicious LDAP server.

“The server connects to the attacker’s LDAP server and deserializes the LDAP response, allowing the attacker to execute deserialization gadget chains on the Kafka Connect server,” the advisory states. “Attackers can execute commands on the server and access other network resources.”

If all conditions are met, Apache asserts that JNDI requests could lead to remote code execution or denial-of-service attacks.

Disclosure

Josep Prat, the open-source engineering director at Aiven, remarked that Aiven’s bug bounty program enhances the overall security of the open-source ecosystem.

“The bounty program encompasses both proprietary software and open-source projects utilized within our services,” Prat explained to The Daily Swig.

“Since our bounty program’s inception in 2020, 25% of the reports pertained to open-source projects, with 80% being about projects not owned by Aiven but are part of our dependency chain, including those owned by the Apache Software Foundation.”

In cases of threats affecting upstream projects, Aiven reaches out to the respective security teams to inform them of vulnerabilities discovered.

“In this instance, however, the vulnerability was found to impact only Apache Kafka service providers rather than being a fundamental flaw in the project itself. Following protocol, Aiven recognized this and rewarded the reporter accordingly.”

Prat added that the issue was quickly communicated to the Kafka security team and resolved with Aiven engineers’ assistance.

Updates and Mitigations

Aiven submitted the report on April 4, 2022. It was revealed that Apache Kafka versions 2.3.0-3.3.2 were affected, and the vulnerability was ultimately fixed in version 3.4.0.

Since Kafka version 3.0.0, configuration properties pertaining to connectors used in attack strategies can be specified by users. Additionally, a new property in version 3.4.0 disables the usage of problematic login modules in the SASL JAAS configuration, enhancing security.

The ASF advises Kafka Connect users to validate connector configurations and allow only trusted JNDI configurations. They should also review connector dependencies for vulnerabilities, consider upgrading, or potentially removing insecure connectors to improve security measures.

Jääskelä also reported a second critical vulnerability concerning Apache Kafka in the same timeframe, with the Aiven JDBC sink potentially being exploited through an unprotected Jolokia bridge, enabling RCE on Kafka Connect servers. He was also rewarded $5,000 for this report, which has since been resolved.

The Daily Swig has reached out to the Apache project for further comments and will provide updates as more information is received.

This article was updated on February 17 with the inclusion of comments from Josep Prat of Aiven.

YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022