CVE-2024-32030
Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI
Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230.
Reserved 2024-04-09 | Published 2024-06-19 | Updated 2024-08-02 | Assigner GitHub_MCWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-502: Deserialization of Untrusted Data
securitylab.github.com/...L-2023-229_GHSL-2023-230_kafka-ui/
github.com/provectus/kafka-ui/pull/4427
github.com/...ommit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7
Support options
