| Description: | | Kafka is an open source stream processing platform developed by the Apache Software Foundation. The goal of the project is to provide a unified, high-throughput, and low-latency platform for processing real-time data. Kafka Connect is a tool for the scalable and reliable transfer of data between Apache Kafka and other data systems. A security vulnerability has been discovered in Apache Kafka Connect, which affect Kafka Connect clusters starting from Apache Kafka 2.3.0. When configuring a connector via the Kafka Connect REST API, an authenticated administrator can set the "sasl.jaas.config" property of any connector's Kafka client to "com.sun.security.auth.module.JndiLoginModule", which Will allow the server to connect to the attacker's LDAP server, the attacker can trigger unrestricted deserialization of untrusted data or remote code execution vulnerabilities. Starting with Apache Kafka 3.4.0, a system property ("-Dorg.apache.kafka.disallowed.login.modules") was added to disable problematic login modules in SASL JAAS configurations. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0. Kafka Connect users are advised to validate connector configurations and only allow trusted JNDI configurations. Also check for vulnerable versions of connector dependencies and either upgrade their connector, upgrade that specific dependency, or delete the connector. |