QID 150685

Apache Kafka is a distributed event store and stream-processing platform. The project aims to provide a unified, high-throughput, low-latency platform for handling real-time data feeds.

A possible security vulnerability has been identified in Apache Kafka Connect. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0. This will allow to perform JNDI requests that result in Denial of service/remote code execution.

Affected Products:
Apache Kafka Connect from version 2.3.0 to 3.3.2

QID Detection Logic (Unauthenticated):
This QID sends HTTP POST request to "druid/indexer/v1/sampler?for=connect" endpoint with specially crafted payload executing system commands and based on on the response determines if the host is vulnerable

NOTE: This QID checks checks the vulnerability on Apache Druid application which is using vulnerable Apache Kafka connect.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.