{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32030", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-09T15:29:35.938Z", "datePublished": "2024-06-19T16:35:34.497Z", "dateUpdated": "2024-07-10T19:34:42.931Z"}, "containers": {"cna": {"title": "Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/"}, {"name": "https://github.com/provectus/kafka-ui/pull/4427", "tags": ["x_refsource_MISC"], "url": "https://github.com/provectus/kafka-ui/pull/4427"}, {"name": "https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36", "tags": ["x_refsource_MISC"], "url": "https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36"}], "affected": [{"vendor": "provectus", "product": "kafka-ui", "versions": [{"version": "< 0.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T16:35:34.497Z"}, "descriptions": [{"lang": "en", "value": "Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230."}], "source": {"advisory": "GHSA-ff7q-prqf-j6fv", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "provectus", "product": "ui", "cpes": ["cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.7.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-32030"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T19:34:42.931Z"}}]}}

{"descriptions": [{"lang": "en", "value": "Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230."}, {"lang": "es", "value": "Kafka UI es una interfaz de usuario web de c\u00f3digo abierto para la administraci\u00f3n de Apache Kafka. La API de Kafka UI permite a los usuarios conectarse a diferentes corredores de Kafka especificando su direcci\u00f3n de red y puerto. Como caracter\u00edstica independiente, tambi\u00e9n brinda la capacidad de monitorear el desempe\u00f1o de los corredores de Kafka conect\u00e1ndose a sus puertos JMX. JMX se basa en el protocolo RMI, por lo que es inherentemente susceptible a ataques de deserializaci\u00f3n. Un atacante potencial puede aprovechar esta caracter\u00edstica conectando el backend de la interfaz de usuario de Kafka a su propio agente malicioso. Esta vulnerabilidad afecta las implementaciones donde ocurre una de las siguientes situaciones: 1. La propiedad dynamic.config.enabled est\u00e1 configurada en la configuraci\u00f3n. No est\u00e1 habilitado de forma predeterminada, pero se sugiere habilitarlo en muchos tutoriales para Kafka UI, incluido su propio README.md. O 2. un atacante tiene acceso al cl\u00faster de Kafka que se est\u00e1 conectando a la interfaz de usuario de Kafka. En este escenario, el atacante puede aprovechar esta vulnerabilidad para ampliar su acceso y ejecutar c\u00f3digo tambi\u00e9n en la interfaz de usuario de Kafka. En lugar de configurar un puerto JMX leg\u00edtimo, un atacante puede crear un detector RMI que devuelva un objeto serializado malicioso para cualquier llamada RMI. En el peor de los casos, podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, ya que Kafka UI tiene las cadenas de dispositivos necesarias en su classpath. Este problema puede provocar la ejecuci\u00f3n remota de c\u00f3digo posterior a la autenticaci\u00f3n. Esto es particularmente peligroso ya que Kafka-UI no tiene la autenticaci\u00f3n habilitada de forma predeterminada. Este problema se solucion\u00f3 en la versi\u00f3n 0.7.2. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Estos problemas fueron descubiertos e informados por el laboratorio de seguridad de GitHub y tambi\u00e9n se rastrean como GHSL-2023-230."}], "id": "CVE-2024-32030", "lastModified": "2024-06-20T12:43:25.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-19T17:15:57.863", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36"}, {"source": "security-advisories@github.com", "url": "https://github.com/provectus/kafka-ui/pull/4427"}, {"source": "security-advisories@github.com", "url": "https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}