Apache Kafka Vulnerable To Persistent Remote Denial Of Service Via Topic Names

  Original release date: June 11, 2019
  Last revised: ---
  Source: TIBCO Software Inc.


Systems Affected

  Apache Kafka versions 2.2.0 and below.

  TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition
    versions 2.1.0 and below

  TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition
    versions 2.1.0 and below

  The following component is affected:

    * Topic management


Description

  The component listed above contains a vulnerability that theoretically allows
  a user with permission to create topics which will trigger an unexpected
  server process exit. With the specially crafted topic names, when the server
  deletes at user request, discards according to retention policy, or
  repartitions, it is theoretically possible that the server will terminate
  unexpectedly.


Impact

  The impact of this vulnerability includes the theoretical possibility that
  a malicious user could unexpectedly terminate a cluster of Kafka server
  processes. The possibility exists that attempts to restart the server will
  also fail.

  CVSS v3 Base Score: 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H


Solution

  TIBCO has released updated versions of the affected components which
  address these issues.

  TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition
    versions 2.1.0 and below upgrade to version 2.2.0-1

  TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition
    versions 2.1.0 and below upgrade to version 2.2.0-1


Acknowledgments

  TIBCO would like to extend its appreciation to Dave Yesland of Rhino Security
  Labs for discovery of this vulnerability.


References

  http://www.tibco.com/services/support/advisories
  https://issues.apache.org/jira/browse/KAFKA-4893