Scholzj

**Name of the Vulnerable Software and Affected Versions** Strimzi versions 0.47.0 through 0.50.1 **Description** Strimzi allows running an Apache Kafka cluster on Kubernetes or OpenShift. When multiple Certificate Authority (CA) certificates are used in the trusted certificates configuration of a Kafka Connect operand or a Kafka MirrorMaker 2 operand’s target cluster, all certificates within the CA chain are individually trusted when connecting to the Apache Kafka cluster. This can lead to the affected operand accepting connections from Kafka brokers using server certificates signed by any CA in the chain, rather than only the final CA. **Recommendations** Update to version 0.50.1 or later.

**Name of the Vulnerable Software and Affected Versions** Strimzi versions 0.49.0 through 0.50.0 **Description** Strimzi allows running an Apache Kafka cluster on Kubernetes or OpenShift. Versions 0.49.0 through 0.50.0 incorrectly configure trusted certificates for mTLS authentication when using a custom Cluster or Clients CA with a multistage CA chain. This allows users with certificates signed by any CA in the chain to authenticate. The issue only affects users utilizing a custom Cluster or Clients CA with a multistage CA chain and does not impact those using Strimzi-managed CAs or a single custom CA. **Recommendations** Versions 0.49.0 through 0.50.0: Upgrade to version 0.50.1 or later. Versions 0.49.0 through 0.50.0: Provide only the single CA that should be used instead of the full CA chain as the custom CA.