A vulnerability addressed by the latest update for Apache Kafka is an unsafe Java deserialization issue that could be exploited to execute code remotely, with authentication.
CVE-2023-25194
Tracked as CVE-2023-25194, Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API.
Finally by sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system. Apache Kafka has been classified as “important.”
The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API.
An authenticated attacker can configure the sasl.jaas.config property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule“. It is possible via the following properties:
- producer.override.sasl.jaas.config
- consumer.override.sasl.jaas.config
- admin.override.sasl.jaas.config
Recommendations
Security researchers recommended that users of Kafka Connect validate their connector configurations and only permit trusted JNDI configurations.
Users should also check the dependencies of their connectors for any vulnerable versions and take appropriate actions such as upgrading the connectors, upgrading the specific dependency, or removing the connectors.
Users can also mitigate the impact of this vulnerability by validating connector configurations and only allowing trusted JNDI configurations.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment