Possible RCE and denial-of-service issue discovered in Kafka Connect
UPDATED The Apache Software Foundation (ASF) has resolved a vulnerability that can be exploited to launch remote code execution (RCE) attacks using Kafka Connect.
Announced on February 8, the critical flaw is tracked as CVE-2023-25194. It was discovered in Apache Kafka Connect, a free, open source component of Apache Kafka that operates as a central hub for data integration between systems, databases, and key-value stores.
The ASF claims that more than 80% of Fortune 100 organizations use the Kafka platform, including approximately seven out of every 10 banks.
According to Apache’s mailing list note, the security flaw was discovered by bug bounty hunter Jari Jääskelä, who reported the issue via Aiven’s HackerOne bug bounty program and earned a $5,000 bug bounty reward.
The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user can create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol.
The vulnerability involves the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints, as was the case with ‘Log4Shell’, the landmark vulnerability discovered in ubiquitous Java logging library Apache Log4j in 2021. JNDI is also involved in another, newly disclosed critical vulnerability in Apache Sling JCR Base.
With the Kafka bug, an authenticated attacker could configure a specific connector property via either the Aiven API or the Kafka Connect REST API, forcing a worker to connect to an attacker-controlled LDAP server.
“The server will connect to the attacker’s LDAP server and it deserializes the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka Connect server,” the advisory reads. “Attacker[s] can execute commands on the server and access other resources on the network.”
When each prerequisite exists, Apache says it would be possible to perform JNDI requests, potentially leading to the execution of remote code or denial-of-service attacks.
Josep Prat, open source engineering director at Aiven, said Aiven’s bug bounty program bolstered “the security posture of the overall open source ecosystem” as well as its own.
“The bounty program at Aiven applies to both proprietary software as well as any of the open source projects used by it,” he told The Daily Swig.
“Since running our bounty program in 2020, 25% of the reports are on open source projects, of which 80% are on projects not owned by Aiven but part of the our dependency chain, such as projects owned by the Apache Software Foundation.”
Prat said if bug reports are “deemed to affect upstream projects, we will reach out to the security team of the said project and report the possible vulnerability that was discovered.
“In this particular instance, though, the vulnerability was initially assessed to only impact Apache Kafka service providers (and not upstream) rather than being a deficiency of the project itself. Hence, in accordance with the process, Aiven accepted and the bounty was paid to the reporter.”
Prat said the issue was then promptly reported to the Kafka security team and resolved with the help of Aiven engineers.
The report was first submitted to Aiven on April 4, 2022. Apache Kafka versions 2.3.0-3.3.2 were found to be impacted, and the vulnerability was fixed in version 3.4.0.
The ASF notes that since Kafka 3.0.0, users have been able to specify the connector configuration properties used in the attack chain. A new property has been added that disables problematic login module usage in the SASL JAAS configuration in version 3.4.0, alongside additional security measures.
The ASF said: “We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also, examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation.”
Jääskelä also submitted a second critical vulnerability report concerning Apache Kafka in the same month.
The Aiven JDBC sink, including the SQLite JDBC driver, could be abused with an unprotected Jolokia bridge to execute RCE on Kafka Connect servers. The bug bounty hunter was awarded $5,000 for this report too, and the security issue has since been resolved.
The Daily Swig has reached out to the Apache project and we will update this story as and when we hear back.
This story was updated on February 17 with the addition of comment from Josep Prat of Aiven
YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022