Apache Kafka update for jackson-databind

Published: 2019-12-02

Risk	High
Patch available	YES
Number of vulnerabilities	11
CVE-ID	CVE-2019-17531 CVE-2019-17267 CVE-2019-16943 CVE-2019-16942 CVE-2019-16335 CVE-2019-14540 CVE-2019-12086 CVE-2019-14439 CVE-2019-14379 CVE-2019-12384 CVE-2019-12814
CWE-ID	CWE-20 CWE-200 CWE-264 CWE-502
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available.
Vulnerable software Subscribe	Apache Kafka Client/Desktop applications / Messaging software
Vendor	Apache Foundation

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU21750

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-17531

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected software.

The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU21594

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-17267

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Input validation error

EUVDB-ID: #VU21593

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-16943

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Input validation error

EUVDB-ID: #VU21580

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-16942

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Information disclosure

EUVDB-ID: #VU21136

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-16335

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Information disclosure

EUVDB-ID: #VU21135

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-14540

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Information disclosure

EUVDB-ID: #VU19941

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-12086

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Information disclosure

EUVDB-ID: #VU19937

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-14439

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU19933

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-14379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Deserialization of Untrusted Data

EUVDB-ID: #VU19018

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-12384

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Information disclosure

EUVDB-ID: #VU18961

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-12814

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to access sensitive information on a targeted system.

The vulnerability exist due to a polymorphic typing issue when Default Typing is enabled. A remote attacker can send a crafted JSON message that submits malicious input and gain access to sensitive information on the targeted system.

Mitigation

The vulnerabilities are fixed in versions 2.3.1 and 2.2.2.

Vulnerable software versions

Apache Kafka: 2.2.0 - 2.3.0

CPE2.3

cpe:2.3:a:apache_foundation:apache_kafka:2.3.0:*:*:*:*:*:*:*

External links

http://www.apache.org/dist/kafka/2.2.2/RELEASE_NOTES.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?