CVE-2023-25194

Name of the Vulnerable Software and Affected Versions Apache Kafka Connect versions prior to 3.4.0 Apache Kafka versions 2.3.0 through 3.3.x Bitbucket Data Center and Server versions 7.21.0 through 8.12.0

Description A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the sasl.jaas.config property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.

Recommendations For Apache Kafka Connect versions prior to 3.4.0, upgrade to Apache Kafka Connect 3.4.0 or later. For Bitbucket Data Center and Server versions 7.21.0 through 8.12.0, upgrade to the specified supported fixed versions: