Apache Kafka Client Arbitrary File Read and SSRF Vulnerability

An arbitrary file read and Server-Side Request Forgery (SSRF) vulnerability has been identified in Apache Kafka Client versions 3.1.0 prior to 3.9.0. This vulnerability arises from the client's ability to read arbitrary files and log their contents or send requests to unintended locations, based on configuration data for SASL/OAUTHBEARER connections with brokers. In environments where Kafka Client configurations can be controlled by untrusted parties, this vulnerability could be exploited to access sensitive disk contents, environment variables, or escalate privileges within Apache Kafka Connect from REST API access to filesystem or URL access, which could be problematic in certain environments, including SaaS products.

Impact

Exploitation of this vulnerability could lead to unauthorized access to arbitrary files, disk contents, and environment variables, or allow requests to be sent to unintended locations, potentially causing disruption or unauthorized data access.

Remediation

Users are advised to upgrade to Apache Kafka Client version 3.9.1 or 4.0.0 and set the JVM system property 'org.apache.kafka.sasl.oauthbearer.allowed.urls' to the desired value. In Kafka Connect, add appropriate 'allowlist.pattern' and 'allowed.paths' to restrict the operation of ConfigProviders to appropriate bounds.