NetApp Instaclustr Security Advisory – Multiple Kafka CVEs (June 2025)

July 03, 2025 | By Varun Ghai

Issue Details 

Through proactive internal security scanning and as confirmed by the recent announcement by the Kafka project, NetApp has identified multiple vulnerabilities affecting Apache Kafka components used within the NetApp Instaclustr Managed Platform. These vulnerabilities are tracked under the following CVE identifiers: 

CVE ID  Description  Base CVSS v3.1 Score by NVD  Versions affected 
CVE-2025-27819  A vulnerability in the SASL JAAS JndiLoginModule configuration that may allow for remote code execution (RCE) or denial of service (DoS) attacks.  Not yet assessed by NVD  Kafka 2.0.0 – 3.3.2 
CVE-2025-27818  A vulnerability in the SASL JAAS LdapLoginModule configuration that may permit remote code execution (RCE).  Not yet assessed by NVD  Kafka 2.3.0 – 3.9.0 
CVE-2025-27817  A vulnerability that may allow arbitrary file reads and server-side request forgery (SSRF).  Not yet assessed by NVD  Kafka 3.1.0 – 3.9.0 

 

Impact Analysis:  

These vulnerabilities affect the Apache Kafka core, Kafka Connect and the Kafka client components and we have assessed the severity ratings as follows:  

CVE  NetApp calculated CVSS v3.1 rating  NetApp resolution priority  Impact 
CVE-2025-27817  6.5 (Medium)  High  In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the “sasl.oauthbearer.token.endpoint.url” and “sasl.oauthbearer.jwks.endpoint.url” configuration to read arbitrary contents of the disk and environment variables or make requests to an unintended location. 

 
CVE-2025-27818 

 

 7.6 (High)  Urgent 

 

 Users with the ability to alter configurations on the Kafka cluster or Kafka Connect worker can escalate their privileges to execute arbitrary code on the Kafka Connect server. This vulnerability allows an authenticated operator to set the sasl.jaas.config property for any of the connector’s Kafka clients to use the com.sun.security.auth.module.LdapLoginModule. This configuration can connect to an attacker’s LDAP server and deserialize the LDAP response, potentially leading to remote code execution (RCE) if there are deserialization gadgets in the classpath. 
CVE-2025-27819 

 

 6.5 (Medium)  High  Users with the ability to alter configurations on the Kafka cluster can exploit a vulnerability in the SASL JAAS JndiLoginModule configuration, leading to remote code execution (RCE) or denial of service (DoS) attacks. This vulnerability affects both the Kafka Connect API and Apache Kafka brokers. 

 

Mitigation Approaches 

Following a detailed investigation of NetApp Instaclustr’s platform by our security and engineering teams, we have determined the appropriate mitigation strategy for the identified Kafka vulnerabilities. 

The preferred mitigation path is to upgrade all affected Kafka and Kafka Connect clusters to versions 3.9.1 or 4.0.0, which both include fixes for the vulnerabilities described in CVE-2025-27819, CVE-2025-27818, and CVE-2025-27817. 

Customer Recommendations 

We advise customers to take the following actions based on their deployment model: 

  • Managed platform customers of Instaclustr for Apache Kafka and Instaclustr for Kafka Connect customers: 
    • Ensure firewall rules are configured to only allow trusted applications or use-cases. 
    • Refer to our support documentation portal for instructions on secure configuration and access management for our managed Kafka or Kafka Connect cluster. 
    • For PCI customers, NetApp Instaclustr will contact you directly to schedule an upgrade to 3.9.1 or 4.0.0. 
    • For all other customers, you can reach out to NetApp Instaclustr Support at the earliest available opportunity to schedule an upgrade to 3.9.1 or 4.0.0.  
  • Support-only customers: 
    • Ensure firewall rules are configured to only allow trusted applications or use-cases. 
    • Upgrade to Kafka and Kafka Connect version 3.9.1 or Kafka 4.0.0 to address these vulnerabilities as soon as possible. NetApp Instaclustr Support can provide guidance for planning the upgrade operation.  

 

NetApp Response 

NetApp is actively working to ensure that all affected Instaclustr for Apache Kafka and Instaclustr for Kafka Connect clusters on the Managed Platform are remediated in a timely and secure manner. 

  • Instaclustr’s built-in access control mechanisms and secure-by-default configurations significantly reduce the likelihood of exploitation prior to upgrade. 
  • Instaclustr already supports Kafka and Kafka Connect 3.9.1 and 4.0.0 on the managed platform. Please reach out to our support team to schedule an upgrade to either of these versions. 
  • Instaclustr will proactively upgrade Kafka version 3.9.0 clusters to 3.9.1 in the upcoming OS upgrade cycle (starting mid-July 2025). 
  • Note: For PCI customers, regardless of Kafka version, to ensure they can remain compliant with their PCI obligations in a timly manner (i.e. by 8 August 2025), we will be in contact shortly with them to schedule an upgrade.