Critical RCE Vulnerabilities Discovered in Kafka UI

Researchers have uncovered three critical remote code execution (RCE) vulnerabilities in Kafka UI, an open source web application used for managing and monitoring Apache Kafka clusters, according to The GitHub Blog. These vulnerabilities have been addressed in the latest release, version 0.7.2, and users are strongly encouraged to update their systems to mitigate potential exploits.

CVE-2023-52251: RCE via Groovy Script Execution

The first vulnerability, identified as CVE-2023-52251, leverages the message filtering functionality within Kafka UI. Attackers can use the GROOVY_SCRIPT filter type to execute arbitrary Groovy scripts, leading to potential RCE. The exploit can be initiated through a simple HTTP GET request, making it highly accessible. The vulnerability was reported in November 2023 and patched in April 2024.

CVE-2024-32030: RCE via JMX Connector

The second vulnerability, CVE-2024-32030, involves the Java Management Extensions (JMX) connector used by Kafka UI to monitor Kafka brokers. If the dynamic.config.enabled setting is activated, attackers can configure Kafka UI to connect to a malicious JMX server, leading to deserialization attacks. This vulnerability was also fixed in the 0.7.2 release.

CVE-2023-25194: RCE via JndiLoginModule

The third vulnerability, CVE-2023-25194, exploits the JndiLoginModule for authentication. Attackers can manipulate cluster properties to trigger RCE. This issue is only exploitable if the dynamic.config.enabled property is set to true. The fix was included in the 0.7.2 release, prohibiting the use of the JndiLoginModule.

Kafka UI users are advised to upgrade to version 0.7.2 to secure their systems against these critical vulnerabilities. The fixes include updating dependencies and adding stricter controls to prevent potential exploits.