Severity: moderate

Affected versions:

- Apache Kafka Clients 2.3.0 through 3.5.2
- Apache Kafka Clients 3.6.0 through 3.6.2
- Apache Kafka Clients 3.7.0 through 3.7.1

Description:

Files or Directories Accessible to External Parties, Improper Privilege 
Management vulnerability in Apache Kafka Clients.

Apache Kafka Clients accept configuration data for customizing behavior, and 
includes ConfigProvider plugins in order to manipulate these configurations. 
Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and 
EnvVarConfigProvider implementations which include the ability to read from 
disk or environment variables.
In applications where Apache Kafka Clients configurations can be specified by 
an untrusted party, attackers may use these ConfigProviders to read arbitrary 
contents of the disk and environment variables.

In particular, this flaw may be used in Apache Kafka Connect to escalate from 
REST API access to filesystem/environment access, which may be undesirable in 
certain environments, including SaaS products.
This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.1.


Users with affected applications are recommended to upgrade kafka-clients to 
version >=3.8.0, and set the JVM system property 
"org.apache.kafka.automatic.config.providers=none".
Users of Kafka Connect with one of the listed ConfigProvider implementations 
specified in their worker config are also recommended to add appropriate 
"allowlist.pattern" and "allowed.paths" to restrict their operation to 
appropriate bounds.


For users of Kafka Clients or Kafka Connect in environments that trust users 
with disk and environment variable access, it is not recommended to set the 
system property.
For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka 
command-line tools, it is not recommended to set the system property.

Credit:

Greg Harris (finder)
Mickael Maison (remediation reviewer)
Chris Egerton (remediation reviewer)

References:

https://kafka.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-31141

Reply via email to