Apache Kafka update for jackson-databind

Published: 2019-12-02 | Updated: 2019-12-02
Severity High
Patch available YES
Number of vulnerabilities 11
CVE ID CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14540
CVE-2019-12086
CVE-2019-14439
CVE-2019-14379
CVE-2019-12384
CVE-2019-12814
CWE ID CWE-20
CWE-200
CWE-264
CWE-502
Exploitation vector Network
Public exploit Public exploit code for vulnerability #7 is available.
Vulnerable software Apache Kafka Subscribe
Vendor Apache Foundation

Security Advisory

1) Input validation error

Severity: Medium

CVSSv3: 5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-17531

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to compromise the affected software.

The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

Severity: Medium

CVSSv3: 7.4 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-17267

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

Severity: Medium

CVSSv3: 7.4 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-16943

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

Severity: Medium

CVSSv3: 7.4 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-16942

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-16335

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information disclosure

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-14540

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

Severity: Medium

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12086

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Information disclosure

Severity: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-14439

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Permissions, Privileges, and Access Controls

Severity: High

CVSSv3: 8.2 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-14379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Deserialization of Untrusted Data

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12384

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Information disclosure

Severity: Medium

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12814

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to access sensitive information on a targeted system.

The vulnerability exist due to a polymorphic typing issue when Default Typing is enabled. A remote attacker can send a crafted JSON message that submits malicious input and gain access to sensitive information on the targeted system.


Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0, 2.2.1, 2.3.0

CPE External links

https://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.