Listen to this Post
How the CVE Works
The vulnerability arises due to improper validation of URLs in the SASL/OAUTHBEARER configuration (sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url). Attackers can manipulate these configurations to:
1. Read Arbitrary Files – By injecting file:// URIs, Kafka logs file contents in error messages.
2. Trigger SSRF – Forcing HTTP requests to internal services via crafted URLs.
3. Leak Environment Variables – Exploiting misconfigurations to expose sensitive data.
In Kafka Connect, an attacker with REST API access can escalate privileges by altering these settings, leading to unauthorized file access or internal network reconnaissance.
DailyCVE Form
Platform: Apache Kafka
Version: <3.9.1, 4.0.0
Vulnerability: Arbitrary Read/SSRF
Severity: Critical
Date: 2024-03-15
Prediction: Patch by Q2 2024
What Undercode Say:
Exploitation:
1. File Read PoC:
bin/kafka-console-producer.sh --bootstrap-server localhost:9092 --topic test --producer.config malicious.properties
Where `malicious.properties` contains:
sasl.oauthbearer.token.endpoint.url=file:///etc/passwd
2. SSRF Exploit:
sasl.oauthbearer.jwks.endpoint.url=http://internal-service/admin
Mitigation:
1. Immediate Workaround:
export KAFKA_OPTS="-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls=https://trusted.com"
2. Upgrade & Hardening:
For Kafka 3.9.1+ (allowlist URLs): bin/kafka-server-start.sh -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls="https://valid-endpoint"
3. Network Controls:
iptables -A OUTPUT -p tcp --dport 80 -j DROP Block outbound HTTP
Detection:
- Log Analysis:
grep "sasl.oauthbearer" logs/server.log | grep -E "file:|internal"
- Kafka Config Audit:
bin/kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers --describe
Patch Monitoring:
Track Kafka releases via:
curl -s https://kafka.apache.org/downloads | grep -A5 "Security Fixes"
Note: SaaS Kafka deployments must enforce tenant isolation to prevent cross-tenant exploitation.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
