Please check "Restricting target broker addresses to mitigate CVE-2022-24280" [1] in the Apache Pulsar documentation for more details about configuring the Pulsar Proxy. [1] https://github.com/apache/pulsar/blob/master/site2/docs/administration-proxy.md#restricting-target-broker-addresses-to-mitigate-cve-2022-24280
On 2022/09/22 17:31:53 Lari Hotari wrote: > Severity: important > > Description: > > Improper Input Validation vulnerability in Proxy component of Apache Pulsar > allows an attacker to make TCP/IP connection attempts that originate from the > Pulsar Proxy's IP address. > > When the Apache Pulsar Proxy component is used, it is possible to attempt to > open TCP/IP connections to any IP address and port that the Pulsar Proxy can > connect to. An attacker could use this as a way for DoS attacks that > originate from the Pulsar Proxy's IP address. > It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. > The attacker will have to have a valid token to a properly secured Pulsar > Proxy. > > This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to > 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier. > > Mitigation: > > To address the issue, upgraded versions of Apache Pulsar Proxy will only > allow connections to known broker ports 6650 and 6651 by default. In > addition, it is necessary to limit proxied broker connections further to > known broker addresses by specifying brokerProxyAllowedHostNames and > brokerProxyAllowedIPAddresses Pulsar Proxy settings. In Pulsar Helm chart > deployments, the setting names should be prefixed with "PULSAR_PREFIX_". > > 2.7 users should upgrade Pulsar Proxies to 2.7.5 and apply configuration > changes. > 2.8 users should upgrade Pulsar Proxies to at least 2.8.3 and apply > configuration changes. > 2.9 users should upgrade Pulsar Proxies to at least 2.9.2 and apply > configuration changes. > 2.10 users should apply configuration changes. > Any users running the Pulsar Proxy 2.6.4 and earlier should upgrade to one of > the above patched versions and apply configuration changes. > > Credit: > > This issue was discovered by Lari Hotari of DataStax. > >
