Critical RCE Vulnerabilities Discovered in Kafka UI

Researchers
have
uncovered
three
critical
remote
code
execution
(RCE)
vulnerabilities
in
Kafka
UI,
an
open
source
web
application
used
for
managing
and
monitoring
Apache
Kafka
clusters,
according
to

The
GitHub
Blog.
These
vulnerabilities
have
been
addressed
in
the
latest
release,
version
0.7.2,
and
users
are
strongly
encouraged
to
update
their
systems
to
mitigate
potential
exploits.

CVE-2023-52251:
RCE
via
Groovy
Script
Execution

The
first
vulnerability,
identified
as
CVE-2023-52251,
leverages
the
message
filtering
functionality
within
Kafka
UI.
Attackers
can
use
the

GROOVY_SCRIPT
filter
type
to
execute
arbitrary
Groovy
scripts,
leading
to
potential
RCE.
The
exploit
can
be
initiated
through
a
simple
HTTP
GET
request,
making
it
highly
accessible.
The
vulnerability
was
reported
in
November
2023
and
patched
in
April
2024.

CVE-2024-32030:
RCE
via
JMX
Connector

The
second
vulnerability,
CVE-2024-32030,
involves
the
Java
Management
Extensions
(JMX)
connector
used
by
Kafka
UI
to
monitor
Kafka
brokers.
If
the

dynamic.config.enabled
setting
is
activated,
attackers
can
configure
Kafka
UI
to
connect
to
a
malicious
JMX
server,
leading
to
deserialization
attacks.
This
vulnerability
was
also
fixed
in
the
0.7.2
release.

CVE-2023-25194:
RCE
via
JndiLoginModule

The
third
vulnerability,
CVE-2023-25194,
exploits
the
JndiLoginModule
for
authentication.
Attackers
can
manipulate
cluster
properties
to
trigger
RCE.
This
issue
is
only
exploitable
if
the

dynamic.config.enabled
property
is
set
to

true.
The
fix
was
included
in
the
0.7.2
release,
prohibiting
the
use
of
the
JndiLoginModule.

Kafka
UI
users
are
advised
to
upgrade
to
version
0.7.2
to
secure
their
systems
against
these
critical
vulnerabilities.
The
fixes
include
updating
dependencies
and
adding
stricter
controls
to
prevent
potential
exploits.

Image
source:
Shutterstock