The open-source event streaming platform Apache Kafka has been affected by a vulnerability the that could allow attackers to gain unauthorized access to sensitive information.
The vulnerability tracked as CVE-2024-31141, with no CVSS score assigned, stems from how Apache Kafka Clients handle configuration data. The advisory explains that “Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.
In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.” With certain configurations, malicious actors could exploit this vulnerability to gain access to sensitive files and environment variables.
The Apache Kafka project has urged users to take immediate action to mitigate the risk. They recommend upgrading kafka-clients to version 3.8.0 or higher and setting the JVM system property “org.apache.kafka.automatic.config.providers=none“.
Users of Kafka Connect with specific ConfigProvider implementations are advised to implement “allowlist.pattern” and “allowed.paths” to restrict access.
The developers has cautioned that this system property should not be set for users of Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools.
