[
https://issues.apache.org/jira/browse/FLUME-3470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17730519#comment-17730519
]
Deepak Garg commented on FLUME-3470:
------------------------------------
https://github.com/apache/flume/pull/406
> Upgrade Kafka-clients jar to 3.4.0 in project flume-kafka
> ---------------------------------------------------------
>
> Key: FLUME-3470
> URL: https://issues.apache.org/jira/browse/FLUME-3470
> Project: Flume
> Issue Type: Improvement
> Environment: RHEL7
> Hadoop 3
> flume 1.11.0
>
> Reporter: Deepak Garg
> Assignee: Deepak Garg
> Priority: Major
> Labels: pull-request-available
>
> *Security Vulnerability Details*
> *CVE-2023-25194*
>
> *Explanation*
> The Apache {{kafka-clients}} package is vulnerable to Remote Code Execution
> (RCE). The {{load()}} and {{defaultContext()}} methods in the {{JaasContext}}
> class fail to provide a mechanism for disallowing dangerous authentication
> modules. Consequently, since Kafka deserializes the responses it receives
> from configured LDAP servers, modules such as
> {{com.sun.security.auth.module.JndiLoginModule}} may be leveraged to cause
> Kafka to deserialize responses into arbitrary classes that exist on the
> classpath. A remote attacker with access to a Kafka Connect worker who can
> configure connectors via the Kafka Connect REST API can exploit this
> vulnerability to execute malicious code on an affected Kafka server.
> {_}Advisory Deviation Notice{_}: The Sonatype security research team
> discovered that this vulnerability was introduced in version {{0.10.2.0}} and
> not {{2.3.0}} as stated in the advisory.
> *Detection*
> The application is vulnerable by using this component.
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue. In addition to upgrading, the project advises users
> take the following measures:
> {quote}We advise the Kafka Connect users to validate connector configurations
> and only allow trusted JNDI configurations. Also examine connector
> dependencies for vulnerable versions and either upgrade their
> connectors, upgrading that specific dependency, or removing the
> connectors as options for remediation. Finally, in addition to leveraging the
> "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect
> users
> can also implement their own connector client config override policy, which
> can
> be used to control which Kafka client properties can be overridden directly
> in a connector config and which cannot.
> {quote}
> Reference: [https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz]
> Note: If this component is included as a bundled/transitive dependency of
> another component, there may not be an upgrade path. In this instance, we
> recommend contacting the maintainers who included the vulnerable package.
> Alternatively, we recommend investigating alternative components or a
> potential mitigating control.
> *Version Affected*
> [0.10.2.0,3.3.2]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@flume.apache.org
For additional commands, e-mail: issues-h...@flume.apache.org
