The Apache Kafka® project announced on September 19, 2022 that a security vulnerability has been identified in Apache Kafka, CVE-2022-34917. After being informed of this, Instaclustr began investigating its potential impact on customers of our Apache Kafka offering. This vulnerability allows malicious, unauthenticated clients to allocate large amounts of memory on the brokers. This can lead to OutOfMemoryException in the brokers causing denial of service.
The vulnerability can be exploited by any client which can create a successful network connection to a Kafka broker configured to use SASL based authentication. Exploiting the vulnerability does not require valid SASL credentials. Instaclustr Managed Kafka brokers use either SASL_PLAINTEXT or SASL_SSL authentication to mediate access to the Kafka brokers in our Managed Service. As such, all Instaclustr Kafka clusters are susceptible to this vulnerability.
Due to the nature of the vulnerability, good firewall hygiene will prevent exploitation, and is critical to maintaining interim protection while a patch is released and tested. Customers are responsible for configuring firewall rules in the Instaclustr console, and are expected to ensure that only trusted networks can connect to their clusters. Instaclustr performs regular firewall audits to ensure that the rules set applied to a cluster are consistent with the rules defined by the customer. Regardless of network type, please consider the mitigations below.
We are currently working to release the updated versions of Apache Kafka 2.8.1 and greater with the highest priority and will be in touch with our customers to schedule required upgrades.
The actions we have taken so far include:
- Analyzing the vulnerability for potential impacts to the Instaclustr Managed Service
- Checked applied firewall rules for consistency to the customer defined ruleset defined in the Instaclustr console and advised remediation
- Checked for 0.0.0.0 rules in the customer environment and advised remediation.
Instaclustr recommends that customers take the following actions to ensure that their rules are secure:
- Review the firewall rules defined in the Instaclustr console, including examining rules defined by security groups to ensure that they allow the minimum access required to meet requirements
- As a reminder for RIYOA customers, always use the Instaclustr console, API, or Terraform provider to manage firewall rules for your cluster rather than changing directly at the cloud provider level.
If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, feel free to contact us at [email protected].