Plattform
java
Komponente
org.apache.kafka:kafka-clients
Behoben in
3.5.3
3.6.3
3.7.1
3.7.1
CVE-2024-31141 is a Privilege Escalation vulnerability affecting Apache Kafka Clients versions up to 3.7.0. This vulnerability arises from the improper handling of configuration data, specifically when using ConfigProvider plugins like FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider. Attackers can leverage this to manipulate Kafka's behavior if configurations are sourced from untrusted parties. A fix is available in version 3.7.1.
An attacker exploiting this vulnerability could gain unauthorized control over Kafka cluster behavior by manipulating configuration settings. This could involve altering topics, brokers, or other critical parameters, leading to data breaches, denial of service, or even complete cluster compromise. The vulnerability stems from the ability of ConfigProviders, such as FileConfigProvider and DirectoryConfigProvider, to read configuration data from untrusted sources. If an attacker can control the files or directories used by these providers, they can effectively dictate how Kafka operates. This is particularly concerning in environments where configuration is not properly secured or validated.
This vulnerability was publicly disclosed on 2024-11-19. There is currently no known public proof-of-concept (POC) code available. The CVSS score is 6.5 (MEDIUM), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on external configuration manipulation suggests a targeted attack scenario rather than widespread automated exploitation.
Organizations utilizing Apache Kafka Clients in environments where configuration data is sourced from untrusted parties are at significant risk. This includes cloud deployments where configuration files are stored in shared storage, containerized environments where environment variables are easily manipulated, and systems with legacy configuration management practices. Shared hosting environments where multiple users share the same Kafka instance are particularly vulnerable.
• java / server:
ps -ef | grep Kafka• java / server:
find /opt/kafka /usr/local/kafka -name config.properties -print• java / server:
journalctl -u kafka -f | grep "ConfigProvider"disclosure
Exploit-Status
EPSS
0.11% (30% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-31141 is to upgrade to Apache Kafka Clients version 3.7.1 or later. If immediate upgrading is not possible, restrict access to configuration files and directories used by ConfigProviders. Implement strict validation of configuration data to prevent malicious modifications. Consider using a ConfigProvider that does not rely on external files or directories, if feasible. Monitor Kafka logs for unusual configuration changes. After upgrading, verify the fix by attempting to manipulate configuration files from an untrusted source and confirming that the changes are rejected.
Actualice la biblioteca kafka-clients a la versión 3.8.0 o superior. Adicionalmente, establezca la propiedad del sistema JVM 'org.apache.kafka.automatic.config.providers' a 'none' para deshabilitar los ConfigProviders automáticos. Si utiliza Kafka Connect, configure 'allowlist.pattern' y 'allowed.paths' para restringir el acceso a archivos y variables de entorno.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-31141 is a vulnerability in Apache Kafka Clients ≤3.7.0 that allows attackers to manipulate Kafka's behavior by influencing configuration data sourced from untrusted parties via ConfigProviders.
You are affected if you are using Apache Kafka Clients versions 3.7.0 or earlier and your Kafka configurations are sourced from potentially untrusted locations like disk or environment variables.
Upgrade to Apache Kafka Clients version 3.7.1 or later. Prior to upgrading, review and secure your configuration management practices to prevent unauthorized configuration changes.
As of November 2024, there are no publicly known active exploits for CVE-2024-31141, but the potential for exploitation exists.
Refer to the Apache Kafka security page for the latest information and advisory regarding CVE-2024-31141: https://kafka.apache.org/security
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.