SB2024031528 - Multiple vulnerabilities in Apache Pulsar
Published: March 15, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-28098)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user with produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-27894)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send a specially crafted HTTP request and read arbitrary files with privileges of the Pulsar Functions Worker process or initiate requests to internal systems.
3) Path traversal (CVE-ID: CVE-2024-27317)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to improper validation of file names inside .jar and .nar files. A remote user can upload a specially crafted archive to the application and overwrite arbitrary files on the system.
4) Code Injection (CVE-ID: CVE-2024-27135)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote authenticated user can send a specially crafted request and execute arbitrary Java code on the Pulsar Function worker.
Remediation
Install update from vendor's website.
References
- https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
- https://pulsar.apache.org/security/CVE-2024-28098/
- https://lists.apache.org/thread/c4t14729k2ln4mtr2n0z66nh7o1j8q66
- https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p
- https://pulsar.apache.org/security/CVE-2024-27894/
- https://lists.apache.org/thread/cy4o2cyymdvy3s2nkotxbfblbyd9zhqz
- https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po
- https://pulsar.apache.org/security/CVE-2024-27317/
- https://lists.apache.org/thread/n1pbx90r45rb6jcnj2g8s95nh872fztn
- https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn
- https://pulsar.apache.org/security/CVE-2024-27135/
- https://lists.apache.org/thread/y5f2vht63h0sc1xcyt5s1l4scdshxb3l