==================================================================== CERT-Renater Note d'Information No. 2020/VULN006 _____________________________________________________________________ DATE : 14/01/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Kafka versions prior to 2.0.2, 2.1.2, 2.2.2, 2.3.1. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/202001.mbox/%3cCALYgK0H+-R15nwJ4i71w1Rv_7y5MGpAf-Zm9AZ_+UTJMzJ4PHw@mail.gmail.com%3e _____________________________________________________________________ CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0 Description: When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value (the externalized secret variable is not the whole configuration property value), then any client can issue a request to the same Connect cluster to obtain the connector's task configurations and the response will contain the plaintext secret rather than the externalized secrets variable. Mitigation: Apache Kafka Connect users should upgrade to one of the following versions where this vulnerability has been fixed: - 2.0.2 or higher - 2.1.2 or higher - 2.2.2 or higher - 2.3.1 or higher Acknowledgements: This issue was first reported by Oleksandr Diachenko. Regards, Randall ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================