Apache Kafka and Kafka Clients Information Exposure Vulnerability in Network Client Log Output

A vulnerability allowing information exposure has been identified in Apache Kafka and its clients. The issue arises in the NetworkClient component, which logs complete request and response details at the DEBUG log level. By default, this log level is set to INFO. However, if DEBUG is enabled, sensitive information can be leaked through the logged requests and responses. The vulnerability affects Apache Kafka versions 0.11.0 through 3.9.1, as well as 4.0.0, and Apache Kafka Clients (org.apache.kafka:kafka-clients) versions 0.11.0 through 3.9.1 and 4.0.0.

Impact

Enabling DEBUG logging for the NetworkClient component can lead to unauthorized exposure of sensitive information through the logged requests and responses.

Remediation

Users are advised to upgrade to Apache Kafka versions 3.9.2, 4.0.1, or 4.1.0 and later. For those using Apache Kafka Connect, it is recommended to validate connector configurations and only allow trusted JNDI configurations.