Bug 2371365 (CVE-2025-27819)

Summary: CVE-2025-27819 org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anstephe, aprice, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, caswilli, ccranfor, cdewolf, chfoley, clement.escoffier, cmah, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dnakabaa, dosoudil, drosa, dsimansk, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jcantril, jmartisk, jnethert, joehler, jpechane, jpoth, jrokos, jsamir, jscholz, kaycoth, kholdawa, kingland, kverlaen, lcouzens, lgao, lthon, manderse, matzew, mnovotny, mosmerov, mskarbek, msochure, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, pcongius, pdelbell, periklis, pesilva, pgallagh, pjindal, pmackay, probinso, rguimara, rkubis, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, sthirugn, swoodman, tcunning, tom.jenkinson, tqvarnst, vkrizan, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in org.apache.kafka. The JndiLoginModule within the SASL authentication mechanism allows remote code execution and denial of service when misconfigured. This flaw allows an attacker to provide a malicious JNDI URI within the Kafka broker's configuration, permitting arbitrary code execution on the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-06-10 08:01:05 UTC 
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.


Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0
Comment 2 errata-xmlrpc 2025-12-16 23:13:48 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.1.0

Via RHSA-2025:23417 https://access.redhat.com/errata/RHSA-2025:23417