Bug 1796593 (CVE-2019-12399)

Summary: CVE-2019-12399 kafka: Connect REST API exposes plaintext secrets in tasks endpoint
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, chazlett, dkreling, drieden, etirelli, ganandan, ggaughan, ibek, janstey, jbalunas, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, paradhya, pgallagh, pjindal, rrajasek, rruss, rsynek, sdaley, swoodman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kafka 2.0.2, kafka 2.1.2, kafka 2.2.2, kafka 2.3.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-23 16:32:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1796594    

Description Guilherme de Almeida Suckevicz 2020-01-30 18:02:58 UTC 
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

References:
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cannounce.apache.org%3E
http://www.openwall.com/lists/oss-security/2020/01/14/1
Comment 4 errata-xmlrpc 2020-03-23 13:21:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939
Comment 5 Product Security DevOps Team 2020-03-23 16:32:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12399