Bug 1102920 (CVE-2018-1288)

Summary: VUL-0: CVE-2018-1288: kafka: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Cloud Bugs <cloud-bugs>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: cloud-bugs, JoDavis, johannes.grassler, jsegitz, jwei, nkrinner, smash_bz
Version: unspecifiedFlags: nkrinner: needinfo? (JoDavis)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/211729/
Whiteboard: CVSSv3:SUSE:CVE-2018-1288:8.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) CVSSv3:RedHat:CVE-2018-1288:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2018-1288:5.5:(AV:N/AC:L/Au:S/C:N/I:P/A:P) CVSSv3:NVD:CVE-2018-1288:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-07-27 15:28:32 UTC
CVE-2018-1288

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2,
and 1.0.0, authenticated Kafka users may perform action reserved for the Broker
via a manually created fetch request interfering with data replication,
resulting in data loss.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1288
http://seclists.org/oss-sec/2018/q3/63
http://www.cvedetails.com/cve/CVE-2018-1288/
https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E
Comment 3 Karol Babioch 2018-08-06 13:30:10 UTC
Ok, thank you for your analysis. I've marked the codestreams as affected and requested an update. Looking forward to see the necessary submissions ;).
Comment 4 Johannes Grassler 2018-08-06 13:59:59 UTC
This one is a bit tricky to fix: Monasca requires Kafka 0.9 or something that behaves like it. Kafka 0.10.x has a setting for picking a Kafka protocol version, but configuring that setting accordingly will require changing monasca-installer and Ardana as well and some testing. A backport to 0.9.0 would be preferable but there's a problem with that:

I just tried cherry-picking d2932ad370c5b56edac9d99e6d75f199537a569f to the upstream 0.9.0 branch but it does not apply cleanly and assumes the presence of at least one additional commit (01aeea7c7bca34f1edce40116b7721335938b13b) which is currently not in the 0.9.0 branch. I'd rather not risk patching Kafka this extensively, so I'll go with updating to 0.10.2.2 and configuring 0.9 accordingly.

Joseph: once this lands in the package it will break both Ardana and Crowbar based Cloud 8 due to neither setting that Kafka protocol version setting, yet. So we'll need to carefully sync changing the package with updating both monasca-installer and monasca-ansible right after. We might be able to get away with adding that setting before we change the package, but I'll have to try if adding it on Kafka 0.9.0 works first.
Comment 5 Joseph Davis 2018-08-06 16:22:25 UTC
@Johannes: Thanks for the good analysis.  I hope we can get the settings for monasca in place before switching - that would be a good scenario.  We do need to get Monasca moving forward with Kafka versions again.  Do we need to bring this up with the Monasca Community?
Comment 6 Johannes Grassler 2018-08-07 14:19:38 UTC
Here's an updated kafka and kafka-kit package: https://build.opensuse.org/request/show/627888

Also, I've got some good news: this is not going to break anything, even without monasca-installer changes since the Kafka protocol is somewhat intelligent and supports a protocol version field (see https://kafka.apache.org/protocol#protocol_compatibility ).

I had a bit of a chat with upstream, and the general sentiment was that as long as all the clients talking to Kafka specify the same version, there's no problem. For both Cloud 7 and Cloud 8 that is 0.9.0.0 across the board, so we are good. I already tested the updated Kafka package on my local cloud and it worked out fine (alarms, metrics and logs continue to work as expected).

So long story short, we don't need a monasca-installer change to go with this right now. I made a note to hardwire the protocol version for Cloud 9, though.

Joseph, can you please take a look at https://build.opensuse.org/request/show/627888 and check to make sure the update to 0.10.2.2 doesn't break your patches (it shouldn't but I'd prefer having a second pair of eyes on it)? Once I've got your go-ahead I'll merge this and submit it for Cloud:OpenStack:{Newton,Pike} and beyond.
Comment 7 Johannes Grassler 2018-08-07 15:57:14 UTC
Ok, merged to network:messaging:kafka. Here are the requests for Cloud:OpenStack:Newton...

https://build.opensuse.org/request/show/627925
https://build.opensuse.org/request/show/627926

...Cloud:OpenStack:Ocata...

https://build.opensuse.org/request/show/627928
https://build.opensuse.org/request/show/627929

...and Cloud:OpenStack:Pike:

https://build.opensuse.org/request/show/627930
https://build.opensuse.org/request/show/627931
Comment 8 Johannes Grassler 2018-08-08 09:10:05 UTC
Sorry, forgot the requests for Queens yesterday: 

https://build.opensuse.org/request/show/628024
https://build.opensuse.org/request/show/628025
Comment 11 Swamp Workflow Management 2018-08-28 13:12:02 UTC
SUSE-SU-2018:2536-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1086909,1090192,1090343,1090849,1094448,1095603,1096985,1102920
CVE References: CVE-2018-12099,CVE-2018-1288,CVE-2018-3817
Sources used:
SUSE OpenStack Cloud 7 (src):    grafana-4.5.1-1.8.1, kafka-0.10.2.2-5.1, logstash-2.4.1-5.1, monasca-installer-20180608_12.47-9.1
Comment 14 Joseph Davis 2018-09-08 04:59:59 UTC
Hmm, I attempted to just submit the package (which has these changes) from https://build.suse.de/package/show/Devel:Cloud:8/kafka to SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and got this error message:

> Unable to submit: The target project SUSE:SLE-12-SP3:Update:Products:Cloud8:Update is a maintenance release project, a submit self is not possible, please use the maintenance workflow instead. 

I'm afraid I'm not familiar enough with IBS processes to get it right yet.
Comment 15 Joseph Davis 2018-09-08 05:08:42 UTC
(In reply to Joseph Davis from comment #14)
> Hmm, I attempted to just submit the package (which has these changes) from
> https://build.suse.de/package/show/Devel:Cloud:8/kafka to
> SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and got this error message:
> 
> > Unable to submit: The target project SUSE:SLE-12-SP3:Update:Products:Cloud8:Update is a maintenance release project, a submit self is not possible, please use the maintenance workflow instead. 
> 
> I'm afraid I'm not familiar enough with IBS processes to get it right yet.

Reading https://openbuildservice.org/help/manuals/obs-reference-guide/cha.obs.maintenance_setup.html makes it sound like the request has to be handled by a member of the maintenance team.  Am I reading too much in to the process?
Comment 16 Johannes Segitz 2018-09-10 06:15:06 UTC
(In reply to Joseph Davis from comment #15)
The process is described in 
https://pes.suse.de/Maintenance-Security/Submitting_Packages/
can you access this link?
Comment 17 Joseph Davis 2018-09-10 22:13:23 UTC
Thanks for the link.  Do I need to create a new branch with the -M tag and copy the changes from another branch to there before submitting, or can I just submit the existing branch with the changes using "mr"?...

Gave it a try from the command line.  Does https://build.suse.de/request/show/171765 look correct?
Comment 18 Johannes Segitz 2018-09-13 06:42:30 UTC
(In reply to Joseph Davis from comment #17)
looks fine but it seems you need to talk to Rick :)
Comment 19 Joseph Davis 2018-09-13 15:08:55 UTC
(In reply to Johannes Segitz from comment #18)
> (In reply to Joseph Davis from comment #17)
> looks fine but it seems you need to talk to Rick :)

yes, I already sent him an email :)
Comment 21 Joseph Davis 2018-09-27 15:15:49 UTC
Looks like it merged to SLE-12-SP3:Cloud8
Comment 22 Jenny Wei 2018-10-09 18:56:19 UTC
Verified in hlm002
Comment 23 Swamp Workflow Management 2018-10-30 11:15:10 UTC
SUSE-SU-2018:3563-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1094851,1094971,1102662,1102920
CVE References: CVE-2018-1288
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    kafka-0.10.2.2-5.6.1, openstack-monasca-api-2.2.1~dev24-3.6.1
SUSE OpenStack Cloud 8 (src):    ardana-monasca-8.0+git.1535031421.9262a47-3.12.1, ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1, kafka-0.10.2.2-5.6.1, openstack-monasca-api-2.2.1~dev24-3.6.1
HPE Helion Openstack 8 (src):    ardana-monasca-8.0+git.1535031421.9262a47-3.12.1, ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1, kafka-0.10.2.2-5.6.1, openstack-monasca-api-2.2.1~dev24-3.6.1
Comment 25 Swamp Workflow Management 2020-06-09 13:14:29 UTC
SUSE-SU-2020:1573-1: An update that solves four vulnerabilities and has 16 fixes is now available.

Category: security (moderate)
Bug References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506
CVE References: CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838
Sources used:
SUSE CaaS Platform 4.0 (src):    caasp-release-4.2.1-24.23.4, skuba-1.3.5-3.39.1, terraform-provider-vsphere-1.17.3-3.3.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.