The Apache Kafka® project announced on February 8, 2023, that a security vulnerability had been identified in Kafka® Connect, CVE-2023-25194.

This vulnerability is related to the Kafka Connect worker and has been there since version 2.3.0. Using an arbitrary Kafka client SASL JASS config and an SASL-based security protocol, it is possible to create or modify connectors on a Kafka Connect worker. When exploited this vulnerability allows the attacker to connect to an arbitrary LDAP server and deserialize the LDAP response, which the attacker can use to execute Java deserialization gadget chains on the Kafka Connect Server. This can result in unrestricted deserialization of untrusted data.

The CVE report recommends that users of Kafka Connect validate connector configurations and only allow trusted JNDI configurations.

Mitigation:

When we received the advisory we investigated the vulnerability and its potential impact on customers of our Instaclustr for Kafka Connect service. Results of our analysis are as follows:

• Instaclustr’s service does not support Kafka Connect connectors using the authentication methods mentioned in this vulnerability.
• We do not enable egress firewall rules to connect to any arbitrary JNDI/LDAP service.

Based on this, we do not believe our Managed Service customers need to take any action to mitigate this vulnerability. 

For support-only customers we recommend:

• Validating connector configurations to only allow trusted JNDI configurations
• Verifying any connector dependencies for vulnerable versions, updating connector dependencies, and removing vulnerable connectors
• Upgrading to version 3.4.0 and leveraging the org.apache.kafka.disallowed.login.modules system property to disallow the vulnerable login module.

If you have any further queries regarding this vulnerability and its relation to Instaclustr services, feel free to contact us at [email protected].