Strimzi Kafka Operator Role-Based Access Control Vulnerability in Kafka Connect and MirrorMaker 2

A vulnerability in Strimzi Kafka Operator versions 0.47.0 prior to 0.49.1 allows Apache Kafka Connect and MirrorMaker 2 to access all Kubernetes Secrets in their namespace. This issue arises from the creation of an incorrect Kubernetes Role that grants GET permissions on Secrets. The vulnerability is exploitable when Kafka Connect or MirrorMaker 2 is deployed without proper TLS or mTLS configurations, or when certain authentication options are not specified. In such cases, Pods can access Secrets using their Service Account, although they cannot list or modify these Secrets.

Impact

Exploitation of this vulnerability allows unrestricted GET access to all Kubernetes Secrets in the same namespace, potentially exposing sensitive information.

Reproduction

Deploy Strimzi Kafka Operator version 0.47.0 to 0.49.0 with Kafka Connect or MirrorMaker 2. Leave the TLS and authentication options unconfigured, creating a scenario where the default Role grants excessive access to Secrets. Once deployed, the role can be verified by checking the permissions assigned to the Kafka Connect or MirrorMaker 2 Pods, which will show the ability to GET any Secret in the namespace.

Remediation

Upgrade to Strimzi Kafka Operator version 0.49.1 or later.