Abstract: A possible security vulnerability has been identified in Apache Kafka Connect that could permit an attacker to execute java deserialization gadget chains on the Kafka Connect server, potentially resulting in remote code execution (RCE) vulnerability. This post discusses the details of this vulnerability, its consequences, and the measures to protect your Kafka Connect clusters.

Introduction

Apache Kafka Connect is a framework for connecting and processing data stored in Apache Kafka clusters. It enables the easy integration of applications and services with Kafka stream processing pipelines. However, a security vulnerability was detected in Apache Kafka Connect versions 2.3. and later, which could enable an attacker to cause unrestricted deserialization of untrusted data or even launch an RCE attack against the target system.

Exploit Details

CVE-2023-25194 affects systems running Apache Kafka Connect with the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol. The vulnerability stems from the ability for an authenticated operator to set the sasl.jaas.config property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule" through the producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config properties.

Here's a code snippet that illustrates the vulnerable configuration

{
    "connector.class": "some.connector.class",
    "producer.override.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule...",
    "consumer.override.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule...",
    "admin.override.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule..."
}

By exploiting this vulnerability, an attacker can force the server to connect to the attacker's LDAP server and deserialize the LDAP response. This could lead to the execution of java deserialization gadget chains on the Kafka Connect server, potentially resulting in a remote code execution (RCE) vulnerability when certain gadgets are available in the classpath.

Mitigation Measures

In response to this vulnerability, the Apache Kafka project has taken the following measures since the release of version 3..:

1. Users are now allowed to specify sasl.jaas.config properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations.

2. Users may not specify sasl.jaas.config properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them.

3. Since Apache Kafka 3.4., a system property ("-Dorg.apache.kafka.disallowed.login.modules") has been added to disable the problematic login modules' usage in SASL JAAS configuration. By default, "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4..

Validate connector configurations and only allow trusted JNDI configurations.

2. Examine connector dependencies for vulnerable versions. If found, consider upgrading the connectors, upgrading the specific dependency, or removing the connectors as options for remediation.

3. Leverage the "org.apache.kafka.disallowed.login.modules" system property to disable the problematic login modules.

4. Implement your own connector client config override policy to control which Kafka client properties can be overridden directly in a connector config and which cannot.

Conclusion

CVE-2023-25194 is a critical vulnerability in Apache Kafka Connect that may allow attackers to exploit deserialization vulnerabilities and launch RCE attacks. It is essential to identify affected systems and apply the necessary mitigation measures to protect your Kafka Connect clusters. By taking the steps outlined above, you can minimize the risk posed by this vulnerability and help ensure the security of your data pipelines.

- Apache Kafka Connect Documentation
- Apache Kafka Connect Security Advisory
- Apache Kafka Connect Vulnerability Mitigation Guide

Timeline

Published on: 02/07/2023 20:15:00 UTC
Last modified on: 02/16/2023 16:44:00 UTC