CVE-2024-31141 - Files and Directories Exposed in Apache Kafka Clients (Improper Privilege Management Vulnerability)

---

Published: May 2024
Severity: High
Affects: Apache Kafka Clients 2.3. through 3.5.2, 3.6.2, 3.7.
Component: Kafka Clients, Kafka Connect
Fixed in: 3.8.

TL;DR

CVE-2024-31141 is a high-severity vulnerability in Apache Kafka Clients that could allow attackers to read arbitrary files and environment variables if they can specify Kafka client configurations. This is especially dangerous in multi-tenant or SaaS environments. Upgrade to kafka-clients 3.8. or later and apply the recommended configuration changes.

Summary

Apache Kafka Clients can read configuration data from various sources, including files and directories on disk (using FileConfigProvider and DirectoryConfigProvider) and environment variables (EnvVarConfigProvider). This feature, meant for flexibility, introduces a security hole: if untrusted users (or compromised clients) can specify or influence Kafka client configurations, they might abuse these providers to access sensitive data on your filesystem or environment variables.

This can enable major escalation: in tools like Kafka Connect, an attacker could use API-level access to jump into filesystem or environment inspection—even stealing secrets.

Vulnerability Details

- Issue: If client configuration is exposed to untrusted parties, they can instruct Kafka to read arbitrary files or directories (including secrets) using the provided ConfigProvider plugins.
- Main Attack Surface: Services like Kafka Connect where configuration/data can be specified by API users.
- No Risk if only trusted users can set Kafka configs or if the client is not exposed to external config input.

Example Scenario: Kafka Connect REST Escalation

Suppose you run Kafka Connect in a SaaS environment. A legitimate (but untrusted) API user submits a connector configuration using the following pattern:

{
  "name": "danger-connector",
  "config": {
    "connector.class": "org.apache.kafka.connect.file.FileStreamSinkConnector",
    "file": "${file:/etc/passwd:root}"
  }
}

If FileConfigProvider is enabled, this will cause Kafka Connect to attempt to expand the ${file:/etc/passwd:root} reference—reading the root user from /etc/passwd.

Exploit Example

Here’s a simplified Java code snippet showing how a malicious input might lead to sensitive file exposure via FileConfigProvider:

import org.apache.kafka.common.config.provider.FileConfigProvider;
import java.util.*;

public class ExploitDemo {
    public static void main(String[] args) {
        FileConfigProvider provider = new FileConfigProvider();
        Map<String, Object> configs = new HashMap<>();
        // Flip this to any file you want to read
        Map<String, String> secrets = provider.get("etc/passwd", Collections.singletonList(""));
        System.out.println("Leaked data: " + secrets);
    }
}

If a Kafka Client reads its configuration from user-controlled input, it could end up executing a similar code path with sensitive files.

1. Upgrade Kafka Clients to 3.8. or Later

This vulnerability is fixed in kafka-clients version 3.8..

2. Disable Automatic Config Providers (Best Practice)

For applications with untrusted config input (multi-tenant, REST API, SaaS), add the JVM property:

-Dorg.apache.kafka.automatic.config.providers=none

This stops Kafka Clients from loading ConfigProvider plugins automatically.

- Add these keys to your worker config to lock down file reading to safe paths

config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider
config.providers.file.param.allowed.paths=/home/kafka/configs

config.providers.directory.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider
config.providers.directory.param.allowlist.pattern=^/home/kafka/configs/.*$

4. Only Accept Configs from Trusted Sources

Don’t let untrusted users supply Kafka client or connector configs, especially where ConfigProviders are enabled.

Command-line utilities

*...unless those are taking untrusted configuration input.*

References & Resources

- Apache Kafka Security Advisory
- Upstream Jira Issue (KAFKA-15906)
- CVE-2024-31141 NVD Entry
- 3.8. Release Notes

You are only at risk if

- You allow untrusted users or external parties to specify Kafka client configurations (including via REST, file upload, etc.), OR
- You deploy Kafka Connect in a multi-tenant/SaaS environment.

Conclusion

CVE-2024-31141 can escalate a simple config injection into a full filesystem or environment variable leak—potentially exposing highly sensitive secrets in log directories, environment configs, or even system files. Upgrading your kafka-clients to 3.8. and restricting the config providers is the single best way to protect your Kafka infrastructure.

Take action now: check your Kafka versions, review your configuration, and lock down your environment.


*This post is an exclusive, plain-speak summary for security practitioners and Kafka administrators.*
*Stay safe—and always secure what you expose!*


*Have more technical questions? Visit the Apache Kafka User Mailing List or open an issue on the GitHub repository.*

Timeline

Published on: 11/19/2024 09:15:03 UTC
Last modified on: 11/19/2024 21:57:32 UTC