By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2023-34040

Remote Code Execution

Affects

Spring for Apache Kafka

<2.9.11, >=3.0.0 <3.0.10

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring for Apache Kafka is a project within the Spring ecosystem that provides integration with Apache Kafka, a distributed event streaming platform. It simplifies the development of Kafka-based applications by offering Spring Boot autoconfiguration, message-driven POJOs, and a template-based API for producing and consuming messages.

‍

A Remote Code Execution vulnerability (CVE-2023-34040) has been identified in Spring for Apache Kafka's spring-kafka module, which could allow attackers to execute code on vulnerable applications.

‍

Per OWASP: Code injection flaws are among the top-10 vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected code:

can access internal application objects/methods
can often bypass security controls
may persist across sessions
can often pivot to gain OS-level access

‍

This issue affects Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier.

Details

Module Info

Product: Spring for Apache Kafka
Affected packages: spring-kafka
Affected versions: <2.9.11, >=3.0.0 <3.0.10
GitHub repository: https://github.com/spring-projects/spring-kafka
Published packages: https://central.sonatype.com/artifact/org.springframework.kafka/spring-kafka
Package manager: Maven
Fixed in: NES for Spring Kafka v2.8.13

‍

Vulnerability Info

A deserialization vulnerability was identified in Spring for Apache Kafka under specific non-default configurations. The issue arises when applications do not configure an ErrorHandlingDeserializer for message keys and/or values while also enabling the container properties checkDeserExWhenKeyNull or checkDeserExWhenValueNull. In such cases, an attacker could inject a malicious serialized object into deserialization exception record headers, potentially leading to unauthorized code execution or denial-of-service attacks.

‍

The exploit involves modifying the DeserializationException class to contain an arbitrary object payload. By altering the class name in the serialized data and embedding it in the springDeserializerExceptionValue or springDeserializerExceptionKey headers, a malicious payload—such as a Billion Laughs attack—can be injected. The consumer, when attempting to deserialize the message, would process the modified exception, leading to resource exhaustion or further exploitation. However, Spring Kafka’s default configurations mitigate this risk, as these container properties are set to false by default, and ErrorHandlingDeserializer actively prevents malicious headers from being processed.

‍

Steps To Reproduce

A public reproduction of this vulnerability has been published here.

‍

Credits

Joseph Beeton from Contrast Security, Inc.

‍

Mitigation

Spring for Apache Kafka 2.8 branch is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring for Apache Kafka.
Leverage a commercial support partner like HeroDevs for post-EOL security support.