CVE-2024-32030

Name of the Vulnerable Software and Affected Versions Kafka UI versions prior to 0.7.2

Description The issue is related to the deserialization mechanism in the Kafka UI web interface for Apache Kafka management. It allows a remote attacker to execute arbitrary code by exploiting the vulnerability in the JMX protocol, which is based on the RMI protocol and is susceptible to deserialization attacks. This can be done by connecting the Kafka UI backend to a malicious broker or by having access to the Kafka cluster connected to Kafka UI. The vulnerability can lead to post-authentication remote code execution, which is particularly dangerous since Kafka UI does not have authentication enabled by default.

Recommendations For versions prior to 0.7.2, upgrade to version 0.7.2 or later to address the issue. As a temporary workaround, consider disabling the dynamic.config.enabled property in settings to minimize the risk of exploitation. Restrict access to the Kafka cluster connected to Kafka UI to prevent attackers from expanding their access and executing code on Kafka UI. Avoid using the JMX ports feature until the issue is resolved. At the moment, there are no known workarounds for this vulnerability other than upgrading to a fixed version.