TIBCO Security Advisory: June 11, 2019 - Apache Kafka
Apache Kafka Vulnerable To Persistent Remote Denial Of Service Via Topic Names
Original release date: June 11, 2019
Source: TIBCO Software Inc.
- Apache Kafka versions 2.2.0 and below
- TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition versions 2.1.0 and below
- TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition versions 2.1.0 and below
The following component is affected:
- Topic management
The component listed above contains a vulnerability that theoretically allows a user with permission to create topics which will trigger an unexpected server process exit. With the specially crafted topic names, when the server deletes at user request, discards according to retention policy, or repartitions, it is theoretically possible that the server will terminate unexpectedly.
The impact of this vulnerability includes the theoretical possibility that a malicious user could unexpectedly terminate a cluster of Kafka server processes. The possibility exists that attempts to restart the server will also fail.
CVSS v3 Base Score: 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
TIBCO has released updated versions of the affected components which address these issues.
- TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition versions 2.1.0 and below upgrade to version 2.2.0-1
- TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition versions 2.1.0 and below upgrade to version 2.2.0-1
TIBCO would like to extend its appreciation to Dave Yesland of Rhino Security Labs for discovery of this vulnerability.