前言
Possible RCE and denial-of-service issue discovered in Kafka Connect
在 Kafka Connect 中发现可能的 RCE 和拒绝服务问题。
更新 阿帕奇软件基金会 (ASF) 已解决了一个漏洞,该漏洞可被利用来使用 Kafka Connect 发起远程代码执行 (RCE) 攻击。
该关键漏洞于 2 月 8 日公布,被追踪为 CVE-2023-25194。Apache Kafka Connect 是 Apache Kafka 的一个免费开源组件,是系统、数据库和键值存储之间数据集成的中心枢纽。
ASF 声称,超过 80% 的财富 100 强企业都在使用 Kafka 平台,包括每 10 家银行中的约 7 家。
UPDATED The Apache Software Foundation (ASF) has resolved a vulnerability that can be exploited to launch remote code execution (RCE) attacks using Kafka Connect.
Announced on February 8, the critical flaw is tracked as CVE-2023-25194. It was discovered in Apache Kafka Connect, a free, open source component of Apache Kafka that operates as a central hub for data integration between systems, databases, and key-value stores.
The ASF claims that more than 80% of Fortune 100 organizations use the Kafka platform, including approximately seven out of every 10 banks.
According to Apache’s mailing list note, the security flaw was discovered by bug bounty hunter Jari Jääskelä, who reported the issue via Aiven’s HackerOne bug bounty program and earned a $5,000 bug bounty reward.
根据阿帕奇邮件列表说明,该安全漏洞是由漏洞赏金猎人Jari Jääskelä发现的,他通过Aiven的HackerOne漏洞赏金计划报告了该问题,并获得了5000美元的漏洞赏金奖励。
The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user can create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol.
只有在访问 Kafka Connect Worker(逻辑工作单元组件),并且用户可以使用任意 Kafka 客户端 SASL JAAS 配置和基于 SASL 的安全协议创建或修改 Worker 连接器时,才会触发该漏洞。
https://nvd.nist.gov/vuln/detail/CVE-2023-25194
https://kafka.apache.org/cve-list
提示:以下是本篇文章正文内容,下面案例可供参考
一、Log4Shell connection
The vulnerability involves the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints, as was the case with ‘Log4Shell’, the landmark vulnerability discovered in ubiquitous Java logging library Apache Log4j in 2021. JNDI is also involved in another, newly disclosed critical vulnerability in Apache Sling JCR Base.
该漏洞涉及轻量级目录访问协议(LDAP)和 Java 命名与目录接口(JNDI)端点,就像 2021 年在无处不在的 Java 日志库 Apache Log4j 中发现的标志性漏洞 "Log4Shell "一样。Apache Sling JCR Base 中新披露的另一个关键漏洞也涉及 JNDI。
With the Kafka bug, an authenticated attacker could configure a specific connector property via either the Aiven API or the Kafka Connect REST API, forcing a worker to connect to an attacker-controlled LDAP server.
“The server will connect to the attacker’s LDAP server and it deserializes the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka Connect server,” the advisory reads. “Attacker[s] can execute commands on the server and access other resources on the network.”
When each prerequisite exists, Apache says it would be possible to perform JNDI requests, potentially leading to the execution of remote code or denial-of-service attacks.
利用 Kafka 漏洞,经过身份验证的攻击者可以通过 Aiven API 或 Kafka Connect REST API 配置特定连接器属性,从而迫使 Worker 连接到攻击者控制的 LDAP 服务器。
"服务器将连接到攻击者的 LDAP 服务器,并对 LDAP 响应进行反序列化,攻击者可利用该响应在 Kafka Connect 服务器上执行 java 反序列化小工具链,"该公告写道。"攻击者可以在服务器上执行命令,并访问网络上的其他资源。
阿帕奇表示,当每个前提条件都存在时,就有可能执行 JNDI 请求,从而可能导致执行远程代码或拒绝服务攻击。
二、Disclosure
Josep Prat, open source engineering director at Aiven, said Aiven’s bug bounty program bolstered “the security posture of the overall open source ecosystem” as well as its own.
“The bounty program at Aiven applies to both proprietary software as well as any of the open source projects used by it,” he told The Daily Swig.
“Since running our bounty program in 2020, 25% of the reports are on open source projects, of which 80% are on projects not owned by Aiven but part of the our dependency chain, such as projects owned by the Apache Software Foundation.”
Prat said if bug reports are “deemed to affect upstream projects, we will reach out to the security team of the said project and report the possible vulnerability that was discovered.
“In this particular instance, though, the vulnerability was initially assessed to only impact Apache Kafka service providers (and not upstream) rather than being a deficiency of the project itself. Hence, in accordance with the process, Aiven accepted and the bounty was paid to the reporter.”
Prat said the issue was then promptly reported to the Kafka security team and resolved with the help of Aiven engineers.
Aiven公司开源工程总监Josep Prat说,Aiven公司的漏洞悬赏计划不仅增强了自身的实力,而且还 “加强了整个开源生态系统的安全态势”。
"他告诉《The Daily Swig》:"Aiven的漏洞悬赏计划既适用于专有软件,也适用于其使用的任何开源项目。
“自2020年启动我们的悬赏计划以来,25%的报告涉及开源项目,其中80%涉及非爱文所有但属于我们依赖链的项目,如阿帕奇软件基金会(Apache Software Foundation)所有的项目。”
Prat说,如果错误报告 “被认为会影响上游项目,我们将与上述项目的安全团队联系,并报告可能发现的漏洞”。
“不过,在这个特殊的例子中,漏洞最初被评估为只影响 Apache Kafka 服务提供商(而不是上游),而不是项目本身的缺陷。因此,按照流程,Aiven 接受并向报告者支付了赏金。”
Prat说,该问题随后被迅速报告给了Kafka安全团队,并在Aiven工程师的帮助下得到了解决。
Updates, mitigations
The report was first submitted to Aiven on April 4, 2022. Apache Kafka versions 2.3.0-3.3.2 were found to be impacted, and the vulnerability was fixed in version 3.4.0.
The ASF notes that since Kafka 3.0.0, users have been able to specify the connector configuration properties used in the attack chain. A new property has been added that disables problematic login module usage in the SASL JAAS configuration in version 3.4.0, alongside additional security measures.
该报告于2022年4月4日首次提交给Aiven。Apache Kafka的2.3.0-3.3.2版本被发现受到影响,该漏洞已在3.4.0版本中得到修复。
ASF 指出,自 Kafka 3.0.0 起,用户可以指定攻击链中使用的连接器配置属性。在 3.4.0 版中,除了额外的安全措施外,还添加了一个新属性,用于禁止在 SASL JAAS 配置中使用有问题的登录模块。
The ASF said: “We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also, examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation.”
Jääskelä also submitted a second critical vulnerability report concerning Apache Kafka in the same month.
The Aiven JDBC sink, including the SQLite JDBC driver, could be abused with an unprotected Jolokia bridge to execute RCE on Kafka Connect servers. The bug bounty hunter was awarded $5,000 for this report too, and the security issue has since been resolved.
ASF 说:“我们建议 Kafka Connect 用户验证连接器配置,只允许可信的 JNDI 配置。同时,检查连接器依赖的易受攻击版本,并将升级连接器、升级特定依赖或移除连接器作为补救选项。”
同月,Jääskelä 还提交了第二份有关 Apache Kafka 的重大漏洞报告。
包括 SQLite JDBC 驱动程序在内的 Aiven JDBC sink 可能会被未受保护的 Jolokia 桥滥用,从而在 Kafka Connect 服务器上执行 RCE。该漏洞赏金猎人也因这份报告获得了 5,000 美元的奖励,该安全问题后来也得到了解决。
We advise all Kafka users to promptly upgrade to a version of snappy-java (>=1.1.10.1) to mitigate this vulnerability. The latest version (1.1.10.1, as of July 5, 2023) of snappy-java is backward compatible with all affected versions of Kafka. The affected library jar for snappy-java should be replaced with this newer version.
This vulnerability allows any user who can produce data to the broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM) condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be exploited by sending a malicious payload in the record which is compressed using snappy. On receiving the record, the broker will try to de-compress the record to perform record validation and it will delegate decompression to snappy-java library. The vulnerability in the snappy-java library may cause allocation of an unexpected amount of heap memory, causing an OOM on the broker. Any configured quota will not be able to prevent this because a single record can exploit this vulnerability.