CVE-2023-34040

Name of the Vulnerable Software and Affected Versions Spring for Apache Kafka versions 3.0.9 and earlier Spring for Apache Kafka versions 2.9.10 and earlier

Description The issue is related to a deserialization attack vector in Spring for Apache Kafka. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. The application is vulnerable when the user does not configure an ErrorHandlingDeserializer for the key and/or value of the record, explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull to true, and allows untrusted sources to publish to a Kafka topic. By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured.

Recommendations For Spring for Apache Kafka versions 3.0.9 and earlier, consider configuring an ErrorHandlingDeserializer for the key and/or value of the record to prevent the vulnerability. For Spring for Apache Kafka versions 2.9.10 and earlier, consider configuring an ErrorHandlingDeserializer for the key and/or value of the record to prevent the vulnerability. As a temporary workaround, consider setting container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull to false to minimize the risk of exploitation. Restrict access to Kafka topics to trusted sources only to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.