The CVE-2025-XXXXX vulnerability in Apache Pulsar’s Kafka connectors exposes sensitive configuration details, including credentials, in application logs. The issue stems from improper logging practices in the Pulsar IO Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector. When these connectors initialize, they log configuration properties in plaintext, which may include Kafka broker credentials, authentication tokens, or other secrets. Attackers with access to log files (via misconfigured permissions, log aggregation systems, or compromised servers) can extract these credentials and potentially escalate access to Kafka clusters. The impact is mitigated by the need for log access, but in shared environments or where logs are archived, the risk increases.
DailyCVE Form:
Platform: Apache Pulsar
Version: <3.0.11, <3.3.6, <4.0.4
Vulnerability: Info leak via logs
Severity: Moderate
Date: Apr 10, 2025
What Undercode Say:
Exploitation:
1. Attacker gains log access (e.g., `/var/log/pulsar/.log`).
2. Searches for Kafka connector initialization logs:
grep "kafka.password" /var/log/pulsar/.log
3. Extracts credentials (e.g., `sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username=”admin” password=”secret”;`).
Mitigation:
1. Upgrade to fixed versions (3.0.11+, 3.3.6+, 4.0.4+).
2. Restrict log permissions:
chmod 640 /var/log/pulsar/.log chown pulsar:adm /var/log/pulsar/.log
3. Scrub logs post-facto:
sed -i 's/password=."/password=REDACTED"/g' /var/log/pulsar/.log
4. Disable debug logging for connectors in `log4j2.xml`:
<Logger name="org.apache.pulsar.io.kafka" level="WARN"/>
Detection:
- Audit logs for leaked credentials:
journalctl -u pulsar | grep -i "kafka.credential"
- Test with a dummy credential:
connector config sasl.jaas.config: "username=test password=DUMMY"
Verify logs omit the value.
Code Fix:
Patch modifies `KafkaAbstractConfig` to filter sensitive fields:
public Map<String, Object> getLoggedConfiguration() {
Map<String, Object> config = new HashMap<>(this.originalConfig);
config.keySet().removeIf(key -> key.toLowerCase().contains("password"));
return config;
}
References:
References:
Reported By: https://github.com/advisories/GHSA-rcqj-3fmp-5cqx
Extra Source Hub:
Undercode
