CVE-2023-25194: Apache Kafka Remote Code Execution Vulnerability

CVE-2023-25194

A vulnerability addressed by the latest update for Apache Kafka is an unsafe Java deserialization issue that could be exploited to execute code remotely, with authentication.

Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications. More than 80% of all Fortune 100 companies trust, and use Kafka.

CVE-2023-25194

Tracked as CVE-2023-25194, Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system. Apache Kafka has been classified as “important.”

When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule”, which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties,” according to an Apache advisory.

This will allow the server to connect to the attacker’s LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.

CVE-2023-25194 was addressed with the release of Apache Kafka version 3.4.0, and users are advised to upgrade to the patched iterations as soon as possible. The flaw detail is available on Hackerone.

Users can also mitigate the impact of this vulnerability by validating connector configurations and only allowing trusted JNDI configurations. Also, examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrade that specific dependency, or remove the connectors as options for remediation.