Bugzilla – Bug 1102920
VUL-0: CVE-2018-1288: kafka: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
Last modified: 2020-06-09 13:14:29 UTC
CVE-2018-1288 In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1288 http://seclists.org/oss-sec/2018/q3/63 http://www.cvedetails.com/cve/CVE-2018-1288/ https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E
Ok, thank you for your analysis. I've marked the codestreams as affected and requested an update. Looking forward to see the necessary submissions ;).
This one is a bit tricky to fix: Monasca requires Kafka 0.9 or something that behaves like it. Kafka 0.10.x has a setting for picking a Kafka protocol version, but configuring that setting accordingly will require changing monasca-installer and Ardana as well and some testing. A backport to 0.9.0 would be preferable but there's a problem with that: I just tried cherry-picking d2932ad370c5b56edac9d99e6d75f199537a569f to the upstream 0.9.0 branch but it does not apply cleanly and assumes the presence of at least one additional commit (01aeea7c7bca34f1edce40116b7721335938b13b) which is currently not in the 0.9.0 branch. I'd rather not risk patching Kafka this extensively, so I'll go with updating to 0.10.2.2 and configuring 0.9 accordingly. Joseph: once this lands in the package it will break both Ardana and Crowbar based Cloud 8 due to neither setting that Kafka protocol version setting, yet. So we'll need to carefully sync changing the package with updating both monasca-installer and monasca-ansible right after. We might be able to get away with adding that setting before we change the package, but I'll have to try if adding it on Kafka 0.9.0 works first.
@Johannes: Thanks for the good analysis. I hope we can get the settings for monasca in place before switching - that would be a good scenario. We do need to get Monasca moving forward with Kafka versions again. Do we need to bring this up with the Monasca Community?
Here's an updated kafka and kafka-kit package: https://build.opensuse.org/request/show/627888 Also, I've got some good news: this is not going to break anything, even without monasca-installer changes since the Kafka protocol is somewhat intelligent and supports a protocol version field (see https://kafka.apache.org/protocol#protocol_compatibility ). I had a bit of a chat with upstream, and the general sentiment was that as long as all the clients talking to Kafka specify the same version, there's no problem. For both Cloud 7 and Cloud 8 that is 0.9.0.0 across the board, so we are good. I already tested the updated Kafka package on my local cloud and it worked out fine (alarms, metrics and logs continue to work as expected). So long story short, we don't need a monasca-installer change to go with this right now. I made a note to hardwire the protocol version for Cloud 9, though. Joseph, can you please take a look at https://build.opensuse.org/request/show/627888 and check to make sure the update to 0.10.2.2 doesn't break your patches (it shouldn't but I'd prefer having a second pair of eyes on it)? Once I've got your go-ahead I'll merge this and submit it for Cloud:OpenStack:{Newton,Pike} and beyond.
Ok, merged to network:messaging:kafka. Here are the requests for Cloud:OpenStack:Newton... https://build.opensuse.org/request/show/627925 https://build.opensuse.org/request/show/627926 ...Cloud:OpenStack:Ocata... https://build.opensuse.org/request/show/627928 https://build.opensuse.org/request/show/627929 ...and Cloud:OpenStack:Pike: https://build.opensuse.org/request/show/627930 https://build.opensuse.org/request/show/627931
Sorry, forgot the requests for Queens yesterday: https://build.opensuse.org/request/show/628024 https://build.opensuse.org/request/show/628025
SUSE-SU-2018:2536-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 1086909,1090192,1090343,1090849,1094448,1095603,1096985,1102920 CVE References: CVE-2018-12099,CVE-2018-1288,CVE-2018-3817 Sources used: SUSE OpenStack Cloud 7 (src): grafana-4.5.1-1.8.1, kafka-0.10.2.2-5.1, logstash-2.4.1-5.1, monasca-installer-20180608_12.47-9.1
Hmm, I attempted to just submit the package (which has these changes) from https://build.suse.de/package/show/Devel:Cloud:8/kafka to SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and got this error message: > Unable to submit: The target project SUSE:SLE-12-SP3:Update:Products:Cloud8:Update is a maintenance release project, a submit self is not possible, please use the maintenance workflow instead. I'm afraid I'm not familiar enough with IBS processes to get it right yet.
(In reply to Joseph Davis from comment #14) > Hmm, I attempted to just submit the package (which has these changes) from > https://build.suse.de/package/show/Devel:Cloud:8/kafka to > SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and got this error message: > > > Unable to submit: The target project SUSE:SLE-12-SP3:Update:Products:Cloud8:Update is a maintenance release project, a submit self is not possible, please use the maintenance workflow instead. > > I'm afraid I'm not familiar enough with IBS processes to get it right yet. Reading https://openbuildservice.org/help/manuals/obs-reference-guide/cha.obs.maintenance_setup.html makes it sound like the request has to be handled by a member of the maintenance team. Am I reading too much in to the process?
(In reply to Joseph Davis from comment #15) The process is described in https://pes.suse.de/Maintenance-Security/Submitting_Packages/ can you access this link?
Thanks for the link. Do I need to create a new branch with the -M tag and copy the changes from another branch to there before submitting, or can I just submit the existing branch with the changes using "mr"?... Gave it a try from the command line. Does https://build.suse.de/request/show/171765 look correct?
(In reply to Joseph Davis from comment #17) looks fine but it seems you need to talk to Rick :)
(In reply to Johannes Segitz from comment #18) > (In reply to Joseph Davis from comment #17) > looks fine but it seems you need to talk to Rick :) yes, I already sent him an email :)
Looks like it merged to SLE-12-SP3:Cloud8
Verified in hlm002
SUSE-SU-2018:3563-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1094851,1094971,1102662,1102920 CVE References: CVE-2018-1288 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): kafka-0.10.2.2-5.6.1, openstack-monasca-api-2.2.1~dev24-3.6.1 SUSE OpenStack Cloud 8 (src): ardana-monasca-8.0+git.1535031421.9262a47-3.12.1, ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1, kafka-0.10.2.2-5.6.1, openstack-monasca-api-2.2.1~dev24-3.6.1 HPE Helion Openstack 8 (src): ardana-monasca-8.0+git.1535031421.9262a47-3.12.1, ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1, kafka-0.10.2.2-5.6.1, openstack-monasca-api-2.2.1~dev24-3.6.1
SUSE-SU-2020:1573-1: An update that solves four vulnerabilities and has 16 fixes is now available. Category: security (moderate) Bug References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506 CVE References: CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838 Sources used: SUSE CaaS Platform 4.0 (src): caasp-release-4.2.1-24.23.4, skuba-1.3.5-3.39.1, terraform-provider-vsphere-1.17.3-3.3.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.