CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint

[Randall Hauch <rhauch () apache org>]

CVE-2019-12399: Apache Kafka Connect REST API exposes plaintext secrets in
tasks endpoint

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:

Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0

Description:

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0,
2.2.1, or 2.3.0 are configured with one or more config providers, and a
connector is created/updated on that Connect cluster to use an externalized
secret variable in a substring of a connector configuration property value
(the externalized secret variable is not the whole configuration property
value), then any client can issue a request to the same Connect cluster to
obtain the connector's task configurations and the response will contain
the plaintext secret rather than the externalized secrets variable.


Mitigation:

Apache Kafka Connect users should upgrade to one of the following versions
where this vulnerability has been fixed:
- 2.0.2 or higher
- 2.1.2 or higher
- 2.2.2 or higher
- 2.3.1 or higher

Acknowledgements:

This issue was first reported by Oleksandr Diachenko.


Regards,

Randall