Ziyang Li

**Name of the Vulnerable Software and Affected Versions** Apache Kafka versions prior to 3.4.0 Apache Kafka versions 3.4.0 through 3.9.0 **Description** The issue concerns a Remote Code Execution (RCE) and Denial of Service attack via the SASL JAAS JndiLoginModule configuration in the Kafka Connect API and Apache Kafka brokers. To exploit this, an attacker needs to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. **Recommendations** For Apache Kafka versions prior to 3.4.0, consider adding the system property "-Dorg.apache.kafka.disallowed.login.modules" to disable the problematic login modules usage in SASL JAAS configuration. For Apache Kafka versions 3.4.0 through 3.9.0, ensure that "com.sun.security.auth.module.JndiLoginModule" is disabled, as it is by default in Apache Kafka 3.4.0. For Apache Kafka versions 3.9.1 and 4.0.0, ensure that "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled, as it is by default.

**Name of the Vulnerable Software and Affected Versions** MySQL Connectors versions 9.0.0 through 9.2.0 **Description** A difficult to exploit issue in MySQL Connectors allows a low privileged attacker with network access via multiple protocols to compromise the system. Successful attacks can result in the takeover of MySQL Connectors. **Recommendations** For versions 9.0.0 through 9.2.0, update to a version that contains a fix for this issue, as the current version is affected and can be exploited. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM Data Virtualization Manager for z/OS versions 1.1 through 1.2 Description: The issue allows an authenticated user to inject malicious JDBC URL parameters and execute code on the server. Recommendations: For versions 1.1 and 1.2, consider restricting access to the JDBC URL parameters to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using malicious JDBC URL parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Databricks JDBC Driver versions prior to 2.6.40 **Description** The issue is related to the improper handling of the `krbJAASFile` parameter, allowing a remote attacker to execute arbitrary code by triggering a JNDI injection via a JDBC URL parameter. This could potentially lead to remote code execution in the context of the driver. An attacker could exploit this by tricking a victim into using a crafted connection URL that uses the `krbJAASFile` property. **Recommendations** For Databricks JDBC Driver versions prior to 2.6.40, update to version 2.6.40 or later to resolve the issue. As a temporary workaround, consider applying the recommended JVM configuration changes until a patch is available. Restrict access to the `krbJAASFile` parameter to minimize the risk of exploitation.