CVE-2023-25194: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2023-25194) was identified in Apache Kafka Connect API affecting versions 2.3.0 through 3.3.2. The vulnerability requires access to a Kafka Connect worker and the ability to create or modify connectors with arbitrary Kafka client SASL JAAS configuration and SASL-based security protocol (Apache Kafka CVE, Security Online).

The vulnerability allows an authenticated operator to set the sasl.jaas.config property for connector's Kafka clients to 'com.sun.security.auth.module.JndiLoginModule' through producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config properties. This enables the server to connect to an attacker's LDAP server and deserialize the LDAP response, potentially leading to java deserialization gadget chain execution on the Kafka connect server. The vulnerability has been assigned a CVSS v3 Base Score of 8.8 (AttackerKB).

When exploited, the vulnerability can lead to unrestricted deserialization of untrusted data or remote code execution (RCE) when there are gadgets in the classpath. The impact is particularly severe as it could allow attackers to execute arbitrary code on the system (SOCRadar).

The vulnerability was fixed in Apache Kafka version 3.4.0. The fix includes adding a system property (-Dorg.apache.kafka.disallowed.login.modules) to disable problematic login modules in SASL JAAS configuration. Additionally, 'com.sun.security.auth.module.JndiLoginModule' is disabled by default in Apache Kafka 3.4.0. Users are advised to validate connector configurations, allow only trusted JNDI configurations, and implement their own connector client config override policy (Apache Kafka CVE).