1796593 – (CVE-2019-12399) CVE-2019-12399 kafka: Connect REST API exposes plaintext secrets in tasks endpoint

Bug 1796593 (CVE-2019-12399) - CVE-2019-12399 kafka: Connect REST API exposes plaintext secrets in tasks endpoint

Summary: CVE-2019-12399 kafka: Connect REST API exposes plaintext secrets in tasks end...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-12399
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1796594
TreeView+	depends on / blocked

Reported:	2020-01-30 18:02 UTC by Guilherme de Almeida Suckevicz
Modified:	2020-12-15 15:59 UTC (History)
CC List:	33 users (show)
Fixed In Version:	kafka 2.0.2, kafka 2.1.2, kafka 2.2.2, kafka 2.3.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-23 16:32:11 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:0939	0	None	None	None	2020-03-23 13:21:09 UTC

Description Guilherme de Almeida Suckevicz 2020-01-30 18:02:58 UTC

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

References:
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cannounce.apache.org%3E
http://www.openwall.com/lists/oss-security/2020/01/14/1

Comment 4 errata-xmlrpc 2020-03-23 13:21:06 UTC

This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939

Comment 5 Product Security DevOps Team 2020-03-23 16:32:11 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12399

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
almorale
anstephe
avibelli
bgeorges
chazlett
dkreling
drieden
etirelli
ganandan
ggaughan
ibek
janstey
jbalunas
jochrist
jpallich
jstastny
jwon
krathod
kverlaen
lthon
mnovotny
mszynkie
paradhya
pgallagh
pjindal
rrajasek
rruss
rsynek
sdaley
swoodman