Main Vulnerability Database Vulnerabilities #VU72123

Deserialization of Untrusted Data in Apache Kafka - CVE-2023-25194

Published: February 11, 2023 / Updated: April 19, 2024

Vulnerability identifier: #VU72123

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear

CVE-ID: CVE-2023-25194

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Apache Foundation

Affected software:
Apache Kafka

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to Apache Kafka Connect performs deserialization of data retrieved from the configured LDAP server in "com.sun.security.auth.module.JndiLoginModule". A remote user ability to create/modify connectors on the server with an arbitrary Kafka client SASL JAAS config can configure the server to connect to a malicious LDAP server and execute arbitrary Java code on the system.

How to mitigate CVE-2023-25194

Install updates from vendor's website, which disables the problematic login modules usage in SASL JAAS configuration.

It is also recommended to validate connector configurations and only allow trusted JNDI configurations.

Deserialization of Untrusted Data in Apache Kafka - CVE-2023-25194

Detailed vulnerability description

How to mitigate CVE-2023-25194

Sources

Please verify you're human