Strimzi Kafka Operator and Cluster Images mTLS Authentication Vulnerability with Custom CA Chains
Vulnerability
A vulnerability exists in Strimzi versions 0.49.0 through 0.50.0 when a custom Cluster or Clients CA is used with a multistage CA chain. Strimzi improperly configures trusted certificates for mTLS authentication on both internal and user-defined listeners, allowing authentication with certificates signed by any CA in the chain. This issue does not affect users of Strimzi-managed CAs or those using a single CA.
Impact
The vulnerability allows for improper authentication via mTLS, as all CAs in the custom chain are trusted. This could lead to unauthorized access or actions being performed by clients with certificates from the trusted CAs.
Remediation
Users can upgrade to Strimzi version 0.50.1 or 0.51.0. If an immediate upgrade is not possible, as a temporary workaround, users can provide only the single CA that should be used instead of the full CA chain.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.