Apache Kafka Vulnerability Allowing Remote Code Execution via SASL JAAS LdapLoginModule Configuration

A remote code execution vulnerability has been identified in Apache Kafka versions 2.3.0 through 3.9.0. This vulnerability requires access to alterConfig on the cluster resource or Kafka Connect worker, and the ability to create or modify connectors using an arbitrary Kafka client SASL JAAS configuration and a SASL-based security protocol. An authenticated operator can exploit this vulnerability by setting the 'sasl.jaas.config' property for any connector's Kafka clients to 'com.sun.security.auth.module.LdapLoginModule'. This allows the server to connect to the attacker's LDAP server, deserialize the LDAP response, and potentially execute Java deserialization gadget chains on the Kafka Connect server, leading to unrestricted deserialization of untrusted data or remote code execution if such gadgets are present in the classpath.

Impact

Exploitation of this vulnerability allows for remote code execution on the Kafka Connect server, facilitated by deserialization of untrusted data from an LDAP response.

Reproduction

To reproduce this vulnerability, an authenticated operator must have access to a Kafka Connect worker and the necessary permissions to create or modify connectors. Once these conditions are met, the operator can use the Kafka Connect REST API to configure a connector. During this process, the 'sasl.jaas.config' property can be set to 'com.sun.security.auth.module.LdapLoginModule', using one of the override properties for producers, consumers, or admins. After the connector is deployed with this configuration, the Kafka Connect server will connect to the specified LDAP server, allowing for the deserialization of the LDAP response and the execution of any available Java deserialization gadgets, resulting in remote code execution.

Remediation

Users are advised to upgrade to Apache Kafka versions 3.9.1 or 4.0.0, where this vulnerability has been fixed. In addition, Kafka Connect users should validate connector configurations to ensure that only trusted LDAP configurations are allowed. For those using Kafka Connect 3.9.1 or 4.0.0, the 'org.apache.kafka.disallowed.login.modules' system property can be set to disable the use of problematic login modules, including the LdapLoginModule. Kafka Connect users can also implement their own connector client config override policy to control which Kafka client properties can be overridden in a connector configuration.