Hi Everyone, Due to an oversight, the Affected versions are incorrect. Version 3.7.1 of kafka-clients is not vulnerable. This is the correct data:
Affected versions: - Apache Kafka Clients 2.3.0 through 3.5.2 - Apache Kafka Clients 3.6.0 through 3.6.2 - Apache Kafka Clients 3.7.0 This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0. Thanks, Greg Harris On Mon, Nov 18, 2024 at 10:42 AM Greg Harris <ghar...@apache.org> wrote: > Severity: moderate > > Affected versions: > > - Apache Kafka Clients 2.3.0 through 3.5.2 > - Apache Kafka Clients 3.6.0 through 3.6.2 > - Apache Kafka Clients 3.7.0 through 3.7.1 > > Description: > > Files or Directories Accessible to External Parties, Improper Privilege > Management vulnerability in Apache Kafka Clients. > > Apache Kafka Clients accept configuration data for customizing behavior, > and includes ConfigProvider plugins in order to manipulate these > configurations. Apache Kafka also provides FileConfigProvider, > DirectoryConfigProvider, and EnvVarConfigProvider implementations which > include the ability to read from disk or environment variables. > In applications where Apache Kafka Clients configurations can be specified > by an untrusted party, attackers may use these ConfigProviders to read > arbitrary contents of the disk and environment variables. > > In particular, this flaw may be used in Apache Kafka Connect to escalate > from REST API access to filesystem/environment access, which may be > undesirable in certain environments, including SaaS products. > This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, > 3.7.1. > > > Users with affected applications are recommended to upgrade kafka-clients > to version >=3.8.0, and set the JVM system property > "org.apache.kafka.automatic.config.providers=none". > Users of Kafka Connect with one of the listed ConfigProvider > implementations specified in their worker config are also recommended to > add appropriate "allowlist.pattern" and "allowed.paths" to restrict their > operation to appropriate bounds. > > > For users of Kafka Clients or Kafka Connect in environments that trust > users with disk and environment variable access, it is not recommended to > set the system property. > For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and > Kafka command-line tools, it is not recommended to set the system property. > > Credit: > > Greg Harris (finder) > Mickael Maison (remediation reviewer) > Chris Egerton (remediation reviewer) > > References: > > https://kafka.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-31141 > >
