Bug 1160854 - (CVE-2019-12399) VUL-0: CVE-2019-12399: kafka: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint
VUL-0: CVE-2019-12399: kafka: Apache Kafka Connect REST API may expose plaint...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
maint:planned:update CVSSv2:NVD:CVE-...
Depends on:
  Show dependency treegraph
Reported: 2020-01-14 09:05 UTC by Wolfgang Frisch
Modified: 2021-08-31 14:59 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-01-14 09:05:54 UTC

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0,
2.2.1, or 2.3.0 are configured with one or more config providers, and a
connector is created/updated on that Connect cluster to use an externalized
secret variable in a substring of a connector configuration property value
(the externalized secret variable is not the whole configuration property
value), then any client can issue a request to the same Connect cluster to
obtain the connector's task configurations and the response will contain
the plaintext secret rather than the externalized secrets variable.

Comment 1 Wolfgang Frisch 2020-01-14 09:06:02 UTC
Versions Affected:
Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0

Apache Kafka Connect users should upgrade to one of the following versions
where this vulnerability has been fixed:
- 2.0.2 or higher
- 2.1.2 or higher
- 2.2.2 or higher
- 2.3.1 or higher
Comment 2 Keith Berger 2020-06-02 14:50:03 UTC
SOC9/8/7 ship with a much older version of Kafka so this CVE does not apply

Information for package kafka:
Repository     : Cloud
Name           : kafka
Version        :
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Support Level  : Level 3
Installed Size : 41.1 MiB
Installed      : Yes
Status         : up-to-date
Source package : kafka-
Summary        : Apache Kafka Server
Description    :

Security please verify and close.
Comment 3 Marcus Meissner 2021-08-31 14:59:49 UTC
lets consider fixed upstream