Apache Kafka Brokers JNDI Login Module Vulnerability Leading to Remote Code Execution or Denial-of-Service

A vulnerability exists in Apache Kafka brokers versions 2.0.0 through 3.3.2, allowing for remote code execution (RCE) or denial-of-service (DoS) attacks. This issue arises from the use of the JndiLoginModule in SASL JAAS configuration, which can be exploited by an authenticated user with the AlterConfigs permission. Since Apache Kafka 3.4.0, a system property has been introduced to disable problematic login modules, and certain JNDI-related modules are disabled by default in versions 3.9.1 and 4.0.0.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the Kafka broker or a denial-of-service condition, causing the broker to become unresponsive or unavailable.

Remediation

Users are advised to upgrade to Apache Kafka versions 3.9.1 or 4.0.0. For Kafka Connect users, it's recommended to validate connector configurations, examine dependencies for vulnerabilities, and implement a connector client config override policy if necessary.