Remote code execution flaw patched in Apache Kafka

A critical vulnerability associated with remote code execution (RCE) and denial-of-service has been uncovered in Kafka Connect.

UPDATE: The Apache Software Foundation (ASF) has addressed a vulnerability that can facilitate remote code execution (RCE) attacks through Kafka Connect.

The flaw, announced on February 8, is identified as CVE-2023-25194. It reveals a critical weakness in the free and open-source component of Apache Kafka known as Kafka Connect, which serves as a central hub for data integration among various systems, databases, and key-value stores.

The ASF reports that over 80% of Fortune 100 companies depend on the Kafka platform, including around 70% of banks.

Bug bounty hunter Jari Jääskelä discovered the security issue and reported it through Aiven’s HackerOne bug bounty program, receiving a reward of $5,000 for his findings.

This vulnerability can be triggered if a user has access to a Kafka Connect worker – a logical unit of work – and can create or adjust worker connectors using an arbitrary Kafka client SASL JAAS config, along with a SASL-based security protocol.

Connection to Log4Shell

The issue relates to the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints, reminiscent of the ‘Log4Shell’ vulnerability discovered in 2021 within Apache Log4j, a widely-used Java logging library. JNDI is also linked to a recently revealed critical vulnerability in Apache Sling JCR Base.

This Kafka vulnerability allows an authenticated attacker to define a specific connector property via either the Aiven API or the Kafka Connect REST API, leading a worker to connect to a LDAP server controlled by the attacker.

As outlined in the advisory, “The server will connect to the attacker’s LDAP server and deserialize the LDAP response, enabling the attacker to execute java deserialization gadget chains on the Kafka Connect server.” Consequently, attackers can execute commands on the server and access other resources within the network.

When the necessary conditions are met, Apache warns that it could be feasible to conduct JNDI requests, potentially leading to RCE or denial-of-service attacks.

Disclosure and Response

Josep Prat, the open-source engineering director at Aiven, stated that Aiven’s bug bounty program enhances “the security posture of the overall open-source ecosystem” as well as their own.

“Our bounty program encompasses both proprietary and open-source projects,” he explained to The Daily Swig.

Since launching the bounty program in 2020, 25% of the reports focus on open-source projects, with 80% targeting projects outside Aiven that are critical to their dependency chain, such as those owned by the Apache Software Foundation.

Prat noted that if bug reports are judged to affect upstream projects, they reach out to the corresponding security team to report the potential vulnerability.

“In this particular case, the vulnerability was assessed initially to impact only Apache Kafka service providers and was not a deficiency in the project itself. Consequently, Aiven accepted the report and the bounty was awarded to the reporter,” he stated.

Following this, the issue was promptly communicated to the Kafka security team, which worked with Aiven engineers to resolve it.

Updates and Recommendations

The initial report was submitted to Aiven on April 4, 2022. Apache Kafka versions 2.3.0-3.3.2 were found to be affected, while the vulnerability was remedied in version 3.4.0.

The ASF highlights that since Kafka 3.0.0, users can specify the connector configuration properties involved in the attack chain. A new property is introduced in version 3.4.0 to disable the problematic login module use in the SASL JAAS configuration, in addition to other security enhancements.

They advise Kafka Connect users to validate connector configurations strictly, permitting only trusted JNDI configurations. Users should also examine connector dependencies for vulnerable versions and consider upgrading connectors, updating specific dependencies, or removing connectors as means of remediation.

Jääskelä also reported a second critical vulnerability concerning Apache Kafka during the same month.

The Aiven JDBC sink, along with the SQLite JDBC driver, could be exploited via an unsecured Jolokia bridge to execute RCE on Kafka Connect servers. The bug bounty hunter received a $5,000 reward for this second report, which has since been addressed.

The Daily Swig has reached out to the Apache project for further comments and will provide updates as more information becomes available.

This article was revised on February 17 after receiving comments from Josep Prat of Aiven.

RELATED ARTICLES

OAuth ‘masterclass’ recognized as the leading web hacking technique of 2022