Strimzi, Kubernetes Role Misconfiguration, CVE-2024-35255 (Critical)

By /

Listen to this Post

The CVE-2024-35255 vulnerability works due to a flaw in the Strimzi operator’s role generation logic for Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands. When deploying these operands without specific TLS or mTLS authentication configurations (e.g., missing `.spec.tls.trustedCertificates` or `type: tls` in authentication sections), the operator incorrectly creates a Kubernetes Role. This Role binds to the operand’s Service Account and grants `get` permissions on the `secrets` resource for all Secret objects (resourceNames: [""]) within its namespace. Consequently, any process in the affected Pod using that Service Account can execute `kubectl get secret ` or similar API calls to retrieve the sensitive data of any Secret in the namespace, though it cannot list or modify them. The bug is present in Strimzi versions 0.47.0 through 0.49.0.
Platform: Strimzi
Version: 0.47.0-0.49.0
Vulnerability: Role Misconfiguration
Severity: Critical
date: 2024-06-05

Prediction: Patched 2024-06-05

What Undercode Say:

Check for vulnerable Strimzi Operator version
kubectl get deployment strimzi-cluster-operator -o jsonpath='{.spec.template.spec.containers[bash].image}'
List KafkaConnect clusters
kubectl get kafkaconnect
Examine the generated Role for a Connect cluster
kubectl get role <connect-cluster-name>-connect -o yaml | grep -A5 -B5 "secrets"
Simulate access from within a Pod (if compromised)
kubectl exec <connect-pod> -- curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/<namespace>/secrets/<secret-name>

How Exploit:

Attacker gains execution within Kafka Connect pod (e.g., via plugin deployment). Uses the pod’s service account token to call Kubernetes API: kubectl get secret prod-db-credentials. Can exfiltrate any secret value like passwords, tokens, or keys via outbound HTTP request from the pod.

Protection from this CVE:

Upgrade to Strimzi 0.49.1+. For vulnerable versions, ensure KafkaConnect/MirrorMaker2 CRs have TLS/mTLS configured (.spec.tls.trustedCertificates or authentication.type: tls). Apply network policies to restrict pod egress. Use OPA/Gatekeeper to validate CRs.

Impact:

Unauthorized secret read access within namespace. Credential theft, privilege escalation, compliance breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top