This is an automated email from the ASF dual-hosted git repository.
showuon pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 2df57800d MINOR: add CVE-2025-27817,CVE-2025-27818,CVE-2025-27819
(#694)
2df57800d is described below
commit 2df57800d65e191aaaf0332b83fc23f6b8ba60d9
Author: Luke Chen <[email protected]>
AuthorDate: Tue Jun 10 14:31:55 2025 +0800
MINOR: add CVE-2025-27817,CVE-2025-27818,CVE-2025-27819 (#694)
add CVE-2025-27817,CVE-2025-27818,CVE-2025-27819
---
cve-list.html | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 121 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index 95dc33794..84c88a031 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -21,6 +21,127 @@ apply to Kafka <a
href="https://github.com/apache/kafka/blob/trunk/gradle/resour
You are invited to <a
href="https://kafka.apache.org/contributing.html";>contribute</a> version
updates or (motivated) suppressions.
</p>
+ <h2 id="CVE-2025-27819"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-27819";>CVE-2025-27819</a>
Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS
JndiLoginModule configuration</h2>
+
+ <p>In CVE-2023-25194, we announced the RCE/Denial of service attack via
SASL JAAS JndiLoginModule configuration in Kafka Connect API.
+ But not only Kafka Connect API is vulnerable to this attack, the
Apache Kafka brokers also have this vulnerability.
+ To exploit this vulnerability, the attacker needs to be able to
connect to the Kafka cluster and have the AlterConfigs permission on the
cluster resource.</p>
+
+ <p>Since Apache Kafka 3.4.0, we have added a system property
("-Dorg.apache.kafka.disallowed.login.modules") to
+ disable the problematic login modules usage in SASL JAAS
configuration. Also by default "com.sun.security.auth.module.JndiLoginModule"
is disabled in Apache Kafka 3.4.0,
+ and
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule"
is disabled by default in Apache Kafka 3.9.1/4.0.0.</p>
+
+ </p>
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>2.0.0 - 3.3.2</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.9.1, 4.0.0</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>Possible RCE/Denial of service attack via SASL JAAS
JndiLoginModule configuration</td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>We advise all Kafka users to upgrade kafka to version
>=3.9.1.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>9 Jun 2025</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <h2 id="CVE-2025-27818"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-27818";>CVE-2025-27818</a>
Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule
configuration</h2>
+
+ <p>A possible security vulnerability has been identified in Apache Kafka.
+ This requires access to a alterConfig to the cluster resource, or
Kafka Connect worker, and the ability to create/modify connectors on it with an
arbitrary Kafka client SASL JAAS config
+ and a SASL-based security protocol, which has been possible on Kafka
clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0).
+ When configuring the broker via config file or AlterConfig command, or
connector via the Kafka Kafka Connect REST API, an authenticated operator can
set the `sasl.jaas.config`
+ property for any of the connector's Kafka clients to
"com.sun.security.auth.module.LdapLoginModule", which can be done via the
+ `producer.override.sasl.jaas.config`,
`consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config`
properties.
+ This will allow the server to connect to the attacker's LDAP server
and deserialize the LDAP response,
+ which the attacker can use to execute java deserialization gadget
chains on the Kafka connect server.
+ Attacker can cause unrestricted deserialization of untrusted data (or)
RCE vulnerability when there are gadgets in the classpath.</p>
+
+ <p>Since Apache Kafka 3.9.1/4.0.0, we have added a system property
("-Dorg.apache.kafka.disallowed.login.modules")
+ to disable the problematic login modules usage in SASL JAAS
configuration.
+ Also by default
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule"
are disabled in Apache Kafka Connect 3.9.1/4.0.0. </p>
+
+ </p>
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>2.3.0 - 3.9.0</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.9.1, 4.0.0</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>Possible RCE attack via SASL JAAS LdapLoginModule
configuration</td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>We advise all Kafka users to upgrade kafka to version >=3.9.1.
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>9 Jun 2025</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <h2 id="CVE-2025-27817"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-27817";>CVE-2025-27817</a>
Apache Kafka Client: Arbitrary file read and SSRF vulnerability</h2>
+
+ <p>A possible arbitrary file read and SSRF vulnerability has been
identified in Apache Kafka Client.
+ Apache Kafka Clients accept configuration data for setting the
SASL/OAUTHBEARER connection with the brokers,
+ including "sasl.oauthbearer.token.endpoint.url" and
"sasl.oauthbearer.jwks.endpoint.url".
+ Apache Kafka allows clients to read an arbitrary file and return the
content in the error log,
+ or sending requests to an unintended location. In applications where
Apache Kafka Clients configurations can be specified by an untrusted party,
+ attackers may use the "sasl.oauthbearer.token.endpoint.url" and
"sasl.oauthbearer.jwks.endpoint.url" configuration to read arbitrary contents
of the disk and environment variables or make requests to an unintended
location.
+ In particular, this flaw may be used in Apache Kafka Connect to
escalate from REST API access to filesystem/environment/URL access,
+ which may be undesirable in certain environments, including SaaS
products. </p>
+
+ <p>Since Apache Kafka 3.9.1/4.0.0, we have added a system property
("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls")
+ to set the allowed urls in SASL JAAS configuration. In 3.9.1, it
accepts all urls by default for backward compatibility.
+ However in 4.0.0 and newer, the default value is empty list and users
have to set the allowed urls explicitly.</p>
+
+ </p>
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>3.1.0 - 3.9.0</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.9.1, 4.0.0</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>Arbitrary file read and SSRF vulnerability</td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>We advise all Kafka users to upgrade kafka to version >=3.9.1
and set the JVM system property
`org.apache.kafka.sasl.oauthbearer.allowed.urls` to the desired value.
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>9 Jun 2025</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2 id="CVE-2024-56128"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-56128";>CVE-2024-56128</a> SCRAM
authentication vulnerable to replay attacks when used without encryption</h2>
<p>Apache Kafka's implementation of the Salted Challenge Response
Authentication Mechanism (SCRAM) did not fully adhere to the requirements of
RFC 5802.
