One vulnerability addressed by the latest Apache Kafka update is an insecure Java deserialization vulnerability that could be exploited to execute code remotely, with authentication.
Apache Kafka is an open source distributed event streaming platform used by thousands of enterprises for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications. Over 80% of all Fortune 100 companies trust and use Kafka.
Tracked as CVE-2023-25194 Apache Kafka could allow an authenticated remote attacker to execute arbitrary code on the system, caused by insecure deserialization while configuring the connector via the Kafka Connect REST API. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system. Apache Kafka has been listed as “ important ”.
“ When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule” , which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config` or `admin.override.sasl.jaas.config` properties ”, according to an Apache advisory.
This will allow the server to connect to the attacker’s LDAP server and deserialize the LDAP response, which the attacker can use to run Java deserialization device chains on the Kafka Connect server. The attacker can cause unrestricted deserialization of untrusted data (or) the RCE vulnerability when there are devices on the classpath. ”
CVE-2023-25194 was fixed with the release of Apache Kafka version 3.4.0, and users are encouraged to upgrade to patched iterations as soon as possible. The vulnerability detail is available on Hackerone.
Users can also mitigate the impact of this vulnerability by validating socket configurations and only allowing trusted JNDI configurations. Also, scan your plug-in dependencies for vulnerable versions and update your plug-ins, update that specific dependency, or remove the plug-ins as options for repair.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad