目录
漏洞发布时间:
2023-02-07
影响版本:
Apache Kafka 2.3~3.4之间所有版本
漏洞说明:
在Apache Kafka Connect中发现了一个可能的安全漏洞。这需要访问Kafka Connect worker,并能够使用任意Kafka客户端SASL JAAS配置和基于SASL的安全协议在其上创建/修改连接器,这在Apache Kafka 2.3.0以来的Kafka Connect集群上已经成为可能。通过 Kafka Connect REST API 配置连接器时,经过身份验证的操作员可以将连接器的任何 Kafka 客户端的 sasl.jaas.config
属性设置为“com.sun.security.auth.module.JndiLoginModule”,它可以是 通过“producer.override.sasl.jaas.config”、“consumer.override.sasl.jaas.config”或“admin.override.sasl.jaas.config”属性完成。这将允许服务器连接到攻击者的LDAP服务器并反序列化LDAP响应,攻击者可以使用该响应在Kafka connect服务器上执行java反序列化gadget链。当类路径中存在指令片段时,攻击者可能会导致不受限制的不可信数据反序列化(或RCE漏洞)。从Apache Kafka 3.0.0开始,用户可以在connector配置中指定这些属性,以便使用开箱即用的配置运行Kafka Connect集群。在Apache Kafka 3.0.0之前,用户不能指定这些属性,除非Kafka Connect集群已经重新配置了连接器客户端覆盖策略,允许用户指定这些属性。
漏洞建议:
将您的Apache Kafka升级至 3.4.0版本及以上,从Apache Kafka 3.4.0开始,我们添加了一个系统属性(“-Dorg.apache.kafka.disallowed.login.modules”)来禁用SASL JAAS配置中有问题的登录模块使用。默认情况下“com.sun.security.auth.module.JndiLoginModule”在 Apache Kafka 3.4.0 中被禁用。我们建议 Kafka Connect 用户验证连接器配置并只允许受信任的 JNDI 配置。还要检查易受攻击版本的连接器依赖项,并升级其连接器、升级特定依赖项或删除连接器作为补救选项。 最后,除了利用“org.apache.kafka.disallowed.login.modules”系统属性外,Kafka Connect用户还可以实现自己的连接器客户端配置覆盖策略,该策略可以用来控制哪些Kafka客户端属性可以直接在连接器配置中覆盖,哪些不能。
官方描述:
A possible security vulnerability has been identified in Apache Kafka Connect. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the
sasl.jaas.config
property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule”, which can be done via theproducer.override.sasl.jaas.config
,consumer.override.sasl.jaas.config
, oradmin.override.sasl.jaas.config
properties. This will allow the server to connect to the attacker’s LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.4.0, we have added a system property (“-Dorg.apache.kafka.disallowed.login.modules”) to disable the problematic login modules usage in SASL JAAS configuration. Also by default “com.sun.security.auth.module.JndiLoginModule” is disabled in Apache Kafka 3.4.0. We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the “org.apache.kafka.disallowed.login.modules” system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
官方描述译文:
在Apache Kafka Connect中发现了一个可能的安全漏洞。这需要访问Kafka Connect worker,并能够使用任意Kafka客户端SASL JAAS配置和基于SASL的安全协议在其上创建/修改连接器,这在Apache Kafka 2.3.0以来的Kafka Connect集群上已经成为可能。通过 Kafka Connect REST API 配置连接器时,经过身份验证的操作员可以将连接器的任何 Kafka 客户端的 sasl.jaas.config
属性设置为“com.sun.security.auth.module.JndiLoginModule”,它可以是 通过“producer.override.sasl.jaas.config”、“consumer.override.sasl.jaas.config”或“admin.override.sasl.jaas.config”属性完成。这将允许服务器连接到攻击者的LDAP服务器并反序列化LDAP响应,攻击者可以使用该响应在Kafka connect服务器上执行java反序列化gadget链。当类路径中存在指令片段时,攻击者可能会导致不受限制的不可信数据反序列化(或RCE漏洞)。
从Apache Kafka 3.0.0开始,用户可以在connector配置中指定这些属性,以便使用开箱即用的配置运行Kafka Connect集群。在Apache Kafka 3.0.0之前,用户不能指定这些属性,除非Kafka Connect集群已经重新配置了连接器客户端覆盖策略,允许用户指定这些属性。从Apache Kafka 3.4.0开始,我们添加了一个系统属性(“-Dorg.apache.kafka.disallowed.login.modules”)来禁用SASL JAAS配置中有问题的登录模块使用。默认情况下“com.sun.security.auth.module.JndiLoginModule”在 Apache Kafka 3.4.0 中被禁用。我们建议 Kafka Connect 用户验证连接器配置并只允许受信任的 JNDI 配置。还要检查易受攻击版本的连接器依赖项,并升级其连接器、升级特定依赖项或删除连接器作为补救选项。 最后,除了利用“org.apache.kafka.disallowed.login.modules”系统属性外,Kafka Connect用户还可以实现自己的连接器客户端配置覆盖策略,该策略可以用来控制哪些Kafka客户端属性可以直接在连接器配置中覆盖,哪些不能。
升级 Apache Kafka 各版本重大更新参考
版本 | 重大更新 | 可能造成升级冲突的改动 | 全部更新内容 |
2.3 |
| https://archive.apache.org/dist/kafka/2.3.0/RELEASE_NOTES.html | |
2.4 |
| https://archive.apache.org/dist/kafka/2.4.0/RELEASE_NOTES.html | |
2.5 |
| https://archive.apache.org/dist/kafka/2.5.0/RELEASE_NOTES.html | |
2.6 |
| 将 Zookeeper 升级到 3.5.8 | https://archive.apache.org/dist/kafka/2.6.0/RELEASE_NOTES.html |
2.7 |
| https://archive.apache.org/dist/kafka/2.7.0/RELEASE_NOTES.html | |
2.8 |
| 移除对Zookeeper的依赖,使用KRaft | https://archive.apache.org/dist/kafka/2.8.0/RELEASE_NOTES.html |
3.0 |
| 弃用Java8以及Scala2.12(4.0版本将完全放弃) | https://archive.apache.org/dist/kafka/3.0.0/RELEASE_NOTES.html |
3.1 |
| ||
3.2 |
| log4j 1.x 替换为 reload4j | https://archive.apache.org/dist/kafka/3.2.0/RELEASE_NOTES.html |
3.3.1 |
| https://archive.apache.org/dist/kafka/3.3.1/RELEASE_NOTES.html | |
3.4 |
| 新增ZooKeeper 到 KRaft 的迁移功能(Early Access) |
参考文献:
[1]http://vulhub.org.cn/vuln/VHN-454125
[2]Apache Kafka
来源地址:https://blog.csdn.net/EdwardWong_/article/details/128971457