Critical RCE vulnerability discovered in Kafka UI

According to a GitHub blog post, researchers discovered three critical remote code execution (RCE) vulnerabilities in Kafka UI, an open-source web application used to manage and monitor Apache Kafka clusters. These vulnerabilities have been addressed in the latest release, version 0.7.2, and users are advised to update their systems to mitigate potential exploits.

CVE-2023-52251: RCE via Groovy script execution

The first vulnerability, identified as CVE-2023-52251, leverages the message filtering functionality within the Kafka UI. An attacker could use: GROOVY_SCRIPT A type of filter to execute arbitrary Groovy scripts, leading to a potential RCE. The exploit is highly accessible, as it can be initiated via a simple HTTP GET request. The vulnerability was reported in November 2023 and patched in April 2024.

CVE-2024-32030: RCE via JMX connector

The second vulnerability, CVE-2024-32030, relates to the Java Management Extensions (JMX) connector used by the Kafka UI to monitor Kafka brokers. dynamic.config.enabled When the setting is enabled, an attacker can configure the Kafka UI to connect to a malicious JMX server and cause a deserialization attack. This vulnerability was also fixed in the 0.7.2 release.

CVE-2023-25194: RCE via JndiLoginModule

The third vulnerability, CVE-2023-25194, exploits JndiLoginModule for authentication. An attacker can trigger an RCE by manipulating cluster properties. This issue dynamic.config.enabled The property has been set true. The fix was included in the 0.7.2 release and prevents the use of JndiLoginModule.

Kafka UI users are advised to upgrade to version 0.7.2 to protect their systems from these critical vulnerabilities. The fixes include updating dependencies and adding stricter controls to prevent potential exploits.

Image source: Shutterstock