Bug 2048682 (CVE-2021-41571)

Summary: CVE-2021-41571 pulsar: Pulsar Admin API allows access to data from other tenants using getMessageById API
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, chazlett, janstey, jochrist, pantinor
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2048683    

Description Pedro Sampaio 2022-01-31 17:25:34 UTC 
Description:

In Apache Pulsar it is possible to access data from BookKeeper that
does not belong to the topics accessible by the authenticated user.

The Admin API get-message-by-id requires the user to input a topic and
a ledger id. The ledger id is a pointer to the data, and it is
supposed to be a valid id for the topic.
Authorisation controls are performed against the topic name and there
is not proper validation that the ledger id is valid in the context of
such ledger.
So it may happen that the user is able to read from a ledger that
contains data owned by another tenant.

This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior
versions; Apache Pulsar version 2.7.3 and prior versions; Apache
Pulsar version 2.6.4 and prior versions.

This issue is being tracked as https://github.com/apache/pulsar/issues/11814

Mitigation:

If you are running Pulsar behind a proxy you can disable access to the
REST API for the flawed API

/admin/v2/non-persistent/{tenant}/{namespace}/{topic}/ledger/{ledgerId}/entry/{entryId}

References:

https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId
https://github.com/apache/pulsar/issues/11814
Comment 1 juneau 2022-02-03 18:24:17 UTC 
Marking services-managed-kafka affected/delegated. Affected code present:

services-managed-kafka/mk-ci-cd/kas-fleetshard-operator:b165510/org.apache.pulsar:pulsar-client-all-2.6.0 https://gitlab.cee.redhat.com/mk-ci-cd/kas-fleetshard/blob/production/pom.xml
services-managed-kafka/mk-ci-cd/kas-fleetshard-sync:b165510/org.apache.pulsar:pulsar-client-all-2.6.0 https://gitlab.cee.redhat.com/mk-ci-cd/kas-fleetshard/blob/production/pom.xml