CVE-2024-36543
📋 TL;DR
This vulnerability in the STRIMZI Project's Kafka Connect REST API allows attackers to bypass access controls, potentially denying Kafka Mirroring service, mirroring topic content to unauthorized clusters, and stealing SASL credentials. It affects STRIMZI Project versions 0.41.0 and earlier. Organizations using vulnerable STRIMZI deployments for Kafka MirrorMaker are at risk.
💻 Affected Systems
- STRIMZI Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Kafka clusters including data exfiltration, credential theft, and denial of service for mirroring operations, potentially leading to data breach and service disruption.
Likely Case
Unauthorized access to mirror topics to attacker-controlled clusters and potential denial of service for Kafka Mirroring functionality.
If Mitigated
Limited impact if proper network segmentation and authentication controls are in place, though access control bypass remains possible.
🎯 Exploit Status
Exploitation requires access to the Kafka Connect REST API but bypasses existing access controls. Public research available with proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.42.0 or later
Vendor Advisory: http://strimzi.com
Restart Required: Yes
Instructions:
1. Upgrade STRIMZI to version 0.42.0 or later. 2. Update all Kafka Connect deployments. 3. Restart affected services. 4. Verify access controls are properly enforced.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict access to Kafka Connect REST API endpoints using network controls
iptables -A INPUT -p tcp --dport 8083 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8083 -j DROP
Authentication Enforcement
allImplement strong authentication for all REST API access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Kafka Connect REST API endpoints
- Enable and enforce Kafka ACLs with strict permissions for all operations
🔍 How to Verify
Check if Vulnerable:
Check STRIMZI version: kubectl get strimzi -o json | grep versionCheck Version:
kubectl get strimzi -o jsonpath='{.items[*].spec.version}'Verify Fix Applied:
Verify version is 0.42.0 or later and test access control enforcement on REST API endpoints📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /connectors endpoint
- Unexpected connector creation/modification
- Failed authentication attempts with successful operations
Network Indicators:
- Unusual traffic patterns to Kafka Connect REST API
- Connections from unauthorized sources to port 8083
SIEM Query:
source="kafka-connect" AND (event="CREATE_CONNECTOR" OR event="MODIFY_CONNECTOR") AND user!="authorized_user"