Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration

Root

Cause Apache Kafka brokers, not just the Kafka Connect API, are susceptible to a remote code execution (RCE) or denial of service (DoS) attack through the SASL JAAS JndiLoginModule configuration. This vulnerability extends the previously disclosed CVE-2023-25194, which initially targeted the Kafka Connect API. The issue stems from the ability to configure the com.sun.security.auth.module.JndiLoginModule in the JAAS configuration for broker clients, enabling JNDI-based LDAP lookups that can be abused for deserialization attacks [2].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must be able to connect to the Kafka cluster and possess the AlterConfigs permission on the cluster resource. This allows the attacker to modify the broker's SASL JAAS configuration to include the JndiLoginModule, which, when triggered, connects to an attacker-controlled LDAP server. The LDAP server returns a serialized Java object that, if gadget chains are present in the classpath, leads to arbitrary code execution [1].

Impact

Successful exploitation can result in remote code execution, giving the attacker full control over the affected Kafka broker, or a denial of service condition. The vulnerability can be exploited via broker configuration, making it critical for organizations running Apache Kafka versions prior to the mitigated releases [2].

Mitigation

Starting with Apache Kafka 3.4.0, a system property -Dorg.apache.kafka.disallowed.login.modules was introduced to disable problematic login modules. By default, com.sun.security.auth.module.JndiLoginModule is disabled in Kafka 3.4.0, and from versions 3.9.1 and 4.0.0, both JndiLoginModule and LdapLoginModule are disabled by default. Users are strongly advised to upgrade to these patched versions or apply the system property to block usage of the vulnerable login modules [2].