|Unauthenticated Access in Auxiliary Component
|Confluent Ansible (cp-ansible)
|cp-ansible 5.5.0, 5.5.1, 5.5.2, 6.0.0
|cp-ansible >=5.5.3, cp-ansible >=6.0.1 released in December 2020
|Octav Opaschi (Detack GmbH)
The default deployment provided by Ansible playbook for Confluent Platform installations, prior to versions cp-ansible 5.5.3 and 6.0.1, can enable an attacker to access an auxiliary component used for monitoring, which in some cases, can lead to privilege escalation.
Ansible Playbooks for Confluent Platform offers a simple way to configure and deploy Confluent Platform. The cp-ansible repository provides the playbooks and templates that allow you to easily provision the Confluent Platform in your environment.
Confluent Platform is a full-scale event streaming platform that enables you to easily access, store, and manage data as continuous, real-time streams. Built by the original creators of Apache Kafka, Confluent expands the benefits of Kafka with enterprise-grade features while removing the burden of Kafka management or monitoring.
It was determined that, in the default installations of cp-ansible, prior to version(s) 5.5.3 and 6.0.1, a management component is enabled and does not require prior authentication. This leads to information disclosure related to metrics and configuration values from several of the Platform components, and can, in very specific circumstances, lead to privilege escalation on some of the Platform components. An attacker can exploit this vulnerability in order to escalate privileges horizontally within some of the Kafka components.
The reported vulnerability is fixed in software versions cp-ansible >=5.5.3 and cp-ansible >=6.0.1. It is recommended to update existing software installations to the specified version.