#VU72123 Deserialization of Untrusted Data in Apache Kafka - CVE-2023-25194
Vulnerability identifier: #VU72123
Vulnerability risk: Low
CVSSv4.0: 7.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID:
CWE-ID:
CWE-502
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Apache Kafka
Client/Desktop applications /
Messaging software
Vendor: Apache Foundation
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to Apache Kafka Connect performs deserialization of data retrieved from the configured LDAP server in "com.sun.security.auth.module.JndiLoginModule". A remote user ability to create/modify connectors on the server with an arbitrary Kafka client SASL JAAS config can configure the server to connect to a malicious LDAP server and execute arbitrary Java code on the system.
Mitigation
Install updates from vendor's website, which disables the problematic login modules usage in SASL JAAS configuration.
It is also recommended to validate connector configurations and only allow trusted JNDI configurations.
Vulnerable software versions
Apache Kafka: 3.0.0 - 3.0.2, 3.1.0 - 3.1.2, 3.2.0 - 3.2.3, 3.3.0, 3.3.1, 3.3.2
External links
http://kafka.apache.org/cve-list
http://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
