2216516 – (CVE-2023-25194) CVE-2023-25194 kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect

Bug 2216516 (CVE-2023-25194) - CVE-2023-25194 kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect

Summary: CVE-2023-25194 kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in ...

Keywords:
Status:	NEW
Alias:	CVE-2023-25194
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2167967
TreeView+	depends on / blocked

Reported:	2023-06-21 16:08 UTC by Chess Hazlett
Modified:	2023-07-21 22:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:	apache kafka 3.4.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Chess Hazlett 2023-06-21 16:08:21 UTC

When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.

This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.

Note You need to log in before you can comment on or make changes to this bug.