Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration
Description
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.
Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kafka:kafka_2.10Maven | >= 0 | — |
org.apache.kafka:kafka_2.11Maven | >= 0 | — |
org.apache.kafka:kafka_2.12Maven | < 3.4.0 | 3.4.0 |
org.apache.kafka:kafka_2.13Maven | < 3.4.0 | 3.4.0 |
org.apache.kafka:kafka_2.8.0Maven | >= 0 | — |
org.apache.kafka:kafka_2.8.2Maven | >= 0 | — |
org.apache.kafka:kafka_2.9.1Maven | >= 0 | — |
org.apache.kafka:kafka_2.9.2Maven | >= 0 | — |
Affected products
10- osv-coords9 versionspkg:bitnami/kafkapkg:maven/org.apache.kafka/kafka_2.10pkg:maven/org.apache.kafka/kafka_2.11pkg:maven/org.apache.kafka/kafka_2.12pkg:maven/org.apache.kafka/kafka_2.13pkg:maven/org.apache.kafka/kafka_2.8.0pkg:maven/org.apache.kafka/kafka_2.8.2pkg:maven/org.apache.kafka/kafka_2.9.1pkg:maven/org.apache.kafka/kafka_2.9.2
>= 2.0.0, < 3.4.1+ 8 more
- (no CPE)range: >= 2.0.0, < 3.4.1
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 3.4.0
- (no CPE)range: < 3.4.0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- Apache Software Foundation/Apache Kafkav5Range: 2.0.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-26f8-x7cc-wqpcghsaADVISORY
- github.com/advisories/GHSA-mcwh-c9pg-xw43ghsaADVISORY
- kafka.apache.org/cve-listghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27819ghsaADVISORY
News mentions
0No linked articles in our index yet.