The Apache Kafka® project announced on July 5, 2023, that a security vulnerability has been identified in Kafka, CVE-2023-34455. The CVSS (Common Vulnerability Scoring System) 3.x severity rating for this vulnerability provided by the NVD (National Vulnerability Database) has been assessed as 7.5 (High). When considered in the context of the standard security controls implemented by Instaclustr’s Managed Platform, we have assessed the residual risk as 5.0 (Medium).
This vulnerability applies to Kafka versions 0.8.0 through 3.5.0 and affects the snappy-java library (version <184.108.40.206) used by Kafka to compress and decompress the message payload. When a malicious payload compressed using snappy-java is decompressed by Kafka using these older versions of the snappy-java library, the library may cause allocation of an arbitrarily large amount of heap memory. This can result in an “Out of Memory” error which can further lead to a Denial-of-Service (DoS) on the Kafka broker. Configuring quotas cannot prevent this problem from arising.
Instaclustr performed an investigation into this vulnerability and its potential impact on customers of our managed Kafka service and assessed its severity rating as 5.0 (Medium) on the CVSS 3.x scale for customers of our managed Kafka offering. The findings are itemized below:
- Instaclustr’s managed Kafka service employs various methods to restrict client’s access to a cluster.
- For a public IP cluster, connections can only be made from the IP addresses which are explicitly allowed in the cluster’s firewall by the customer.
- For private IP clusters, access is limited to cluster’s VPC or any VPC peered by the customer.
- In case of AWS PrivateLink enabled clusters, access is restricted by IAM principals provided by the customer.
In summary, if the clients connecting to the cluster can be trusted, clusters configured with any of the above methods of access are not vulnerable to this issue.
- Instaclustr’s managed Kafka service does not allow provisioning a cluster without authentication and authorization. In addition to this, APIs are available to edit or remove users and ACLs. Activities inside a cluster node as well as the overall cluster’s health is constantly monitored with necessary alerts in place. These measures reduce the likelihood of clusters being exploited by an attacker through this issue.
Based on the impact detailed above, Instaclustr recommends the following actions for our customers:
- We recommend all customers review access permissions to their Kafka clusters to ensure access is restricted to the minimum permission sets, IP addresses, and trusted clients necessary. Information to help you get started with setting up Kafka users, ACLs, and firewall rules for our Managed Kafka customers can be found on our website.
- The Kafka project has fixed the issue with Kafka 3.5.1, released on 21 July, 2023. Instaclustr is aiming to have Kafka 3.5.1 available by the end of August. At that time, we recommend that:
- For new clusters, Kafka 3.5.1 should be used.
- For existing clusters on older versions, an upgrade to Kafka 3.5.1 should be scheduled by contacting our Support team.
Please keep an eye out for announcements on the blogs section of our website for an announcement that Kafka 3.5.1 is released on the Instaclustr platform.
Contact Instaclustr Support with any further questions regarding this vulnerability and its relation to Instaclustr for Apache Kafka.