Apache Kafka Connect Remote Code Execution Vulnerability (CVE-2023-25194)

Feb 10, 2023 GMT+08:00

I. Overview

Recently, Apache officially released a security notice, disclosing a remote code execution vulnerability (CVE-2023-25194) in some versions of Apache Kafka. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the property of a connector's Kafka client to a specific value to launch JNDI injection attack and enable remote code execution. The POC has been disclosed and the risk is high.

Apache Kafka is a distributed data stream processing platform. Kafka Connect is a tool used to transmit data between Apache Kafka and other data systems in a scalable and reliable manner. If you are an Apache Kafka user, check your system and implement timely security hardening.

References:

https://kafka.apache.org/cve-list

https://lists.apache.org/thread/rn8vn4d9dbxc6817c5wz1dhhoshp1s25

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Kafka 2.3.0 - 3.3.2

Secure versions:

Apache Kafka 3.4.0

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/Kafka/tags

Huawei Cloud WAF can defend against this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.