Remote code execution flaw patched in Apache Kafka

New vulnerabilities identified in Kafka Connect can lead to remote code execution (RCE) and potential denial-of-service attacks.

UPDATED: The Apache Software Foundation (ASF) has patched a critical vulnerability allowing for exploitation via Kafka Connect.

First disclosed on February 8, this vulnerability is identified as CVE-2023-25194. It affects Kafka Connect, a component of Apache Kafka designed for integrating data between various systems.

The ASF reports that over 80% of Fortune 100 companies utilize Kafka, with a notable presence in the banking sector.

Bug bounty hunter Jari Jääskelä discovered this vulnerability and reported it through Aiven’s HackerOne program, leading to a reward of $5,000.

Exploitation requires access to a Kafka Connect worker, where a user can leverage a Kafka client SASL JAAS configuration to manipulate worker connectors.

Connection to Log4Shell

This vulnerability involves the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) and has similarities with the infamous Log4Shell vulnerability from 2021. JNDI’s involvement also raises concerns about a newly reported vulnerability in Apache Sling JCR Base.

In this Kafka incident, an authenticated attacker can set specific connector properties through the Aiven API or Kafka Connect REST API, which may allow connectivity to an LDAP server controlled by the attacker.

The advisory states, “The server connects to the LDAP server and deserializes the response, permitting the attacker to execute Java deserialization attacks on the server. This could lead to unauthorized command execution and network resource access.”

Disclosure and Response

Josep Prat, the open source engineering director at Aiven, stated that their bug bounty program enhances the security of both their ecosystem and the broader open source community.

Since launching the bounty program in 2020, 25% of reports pertain to open source projects, with 80% affecting projects owned by third parties that Aiven relies on.

If vulnerabilities are deemed to impact upstream projects, Aiven’s process includes communicating with the relevant security team.

In this case, the problem was initially thought to affect only Apache Kafka service providers rather than indicating a weakness in the project itself. This led to the successful communication and resolution of the issue with Kafka’s security team.

Updates and Recommendations

The security issue was reported to Aiven on April 4, 2022, and was found to affect versions 2.3.0-3.3.2 before being corrected in version 3.4.0.

Since version 3.0.0, Kafka users have had the ability to specify configuration properties, and a new property in version 3.4.0 now prevents the misuse of specific login modules.

The ASF advises Kafka Connect users to validate connector configurations and only permit trusted JNDI configurations. Users should also check dependencies for vulnerable versions and either upgrade them or remove affected connectors as part of their remediation strategy.

Jääskelä has also reported an additional critical vulnerability involving Apache Kafka, earning another $5,000 reward during the same month for addressing an unprotected Jolokia bridge that could lead to RCE on Kafka Connect servers.

The Daily Swig is in contact with the Apache project for further updates on this situation.

This article was last updated on February 17, including comments from Josep Prat of Aiven.

RELATED ARTICLES OAuth ‘masterclass’ crowned top web hacking technique of 2022