CVE-2023-25194 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-25194?

CVE-2023-25194 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary code on Apache Kafka Connect servers by exploiting JNDI injection through SASL JAAS configuration. Attackers can achieve remote code execution by manipulating connector configurations to load malicious LDAP responses. This affects Kafka Connect clusters running versions 2.3.0 through 3.3.x with default or permissive configurations.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on Apache Kafka Connect servers by exploiting JNDI injection through SASL JAAS configuration. Attackers can achieve remote code execution by manipulating connector configurations to load malicious LDAP responses. This affects Kafka Connect clusters running versions 2.3.0 through 3.3.x with default or permissive configurations.

💻 Affected Systems

Products:

Apache Kafka Connect

Versions: 2.3.0 through 3.3.x

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Default configurations in Kafka 3.0.0+ allow property specification; earlier versions require permissive connector client override policies.

📦 What is this software?

Kafka Connect by Apache

View all CVEs affecting Kafka Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized code execution allowing attackers to steal sensitive data, deploy malware, or disrupt Kafka operations.

🟢

If Mitigated

Limited to authenticated users with connector modification privileges; proper controls can prevent exploitation entirely.

🌐 Internet-Facing: HIGH if Kafka Connect REST API is exposed to the internet with authentication enabled.

🏢 Internal Only: MEDIUM to HIGH depending on internal access controls and user privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to Kafka Connect REST API and ability to create/modify connectors. Similar JNDI injection patterns have been weaponized in other Java applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Kafka 3.4.0+

Vendor Advisory: https://kafka.apache.org/cve-list

Restart Required: Yes

Instructions:

1. Upgrade to Apache Kafka 3.4.0 or later. 2. Apply the system property '-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule' if using older versions. 3. Restart Kafka Connect services.

🔧 Temporary Workarounds

Disable JndiLoginModule via system property

all

Add JVM argument to disable the vulnerable login module

-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule

Implement connector client config override policy

all

Create custom policy to restrict which Kafka client properties can be overridden

Set connector.client.config.override.policy property in Kafka Connect configuration

🧯 If You Can't Patch

Implement strict connector client config override policies to block sasl.jaas.config overrides
Restrict access to Kafka Connect REST API to only trusted administrators and monitor connector configuration changes

🔍 How to Verify

Check if Vulnerable:

Check Kafka Connect version and configuration. Versions 2.3.0-3.3.x with permissive connector policies are vulnerable.

Check Version:

kafka-topics.sh --version or check Kafka Connect server logs for version information

Verify Fix Applied:

Verify Kafka Connect version is 3.4.0+ or system property disallowing JndiLoginModule is set. Test connector configuration attempts with sasl.jaas.config overrides should be rejected.

📡 Detection & Monitoring

Log Indicators:

Connector configuration changes containing 'sasl.jaas.config' with 'JndiLoginModule'
LDAP connection attempts from Kafka Connect processes
Java deserialization errors in logs

Network Indicators:

Outbound LDAP connections from Kafka Connect servers to unexpected destinations
Unusual network traffic patterns from Kafka Connect processes

SIEM Query:

source="kafka-connect" AND ("sasl.jaas.config" OR "JndiLoginModule" OR "com.sun.security.auth.module")

📊 Metadata

CVE ID: CVE-2023-25194

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: February 7, 2023

Last Updated: March 25, 2025

🔗 References

http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html Third Party Advisory,VDB Entry
https://kafka.apache.org/cve-list Mitigation,Vendor Advisory
https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz Mailing List,Mitigation
http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html Third Party Advisory,VDB Entry
https://kafka.apache.org/cve-list Mitigation,Vendor Advisory
https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz Mailing List,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25194, you might also want to check these: