Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

akka.kafka.internal.KafkaConsumerActor logs credentials on debug level #1592

Closed
AvaPL opened this issue Jan 12, 2023 · 6 comments
Closed

akka.kafka.internal.KafkaConsumerActor logs credentials on debug level #1592

AvaPL opened this issue Jan 12, 2023 · 6 comments
Milestone

Comments

@AvaPL
Copy link

AvaPL commented Jan 12, 2023

Versions used

Akka version: 2.6.20
Akka Stream Kafka version: 3.0.1

Expected Behavior

Credentials are not logged in the logs.

Actual Behavior

Credentials from org.apache.kafka.common.security.plain.PlainLoginModule are logged as plaintext.

Relevant logs

Creating Kafka consumer with akka.kafka.ConsumerSettings(properties=(auto.offset.reset,earliest),(bootstrap.servers,kafka:9092),(client.dns.lookup,use_all_dns_ips),(enable.auto.commit,false),(group.id,my-app),(max.poll.records,250),(sasl.jaas.config,org.apache.kafka.common.security.plain.PlainLoginModule required username='FOOBAR' password='FOOBAR';),(sasl.mechanism,PLAIN),(security.protocol,SASL_SSL),keyDeserializer=Some(org.apache.kafka.common.serialization.StringDeserializer@130dc346),valueDeserializer=Some(io.confluent.kafka.serializers.KafkaAvroDeserializer@1dca3f57),pollInterval=50 milliseconds,pollTimeout=50 milliseconds,stopTimeout=0 days,closeTimeout=20 seconds,commitTimeout=15 seconds,commitRefreshInterval=Duration.Inf,dispatcher=akka.kafka.default-dispatcher,commitTimeWarning=1 second,waitClosePartition=500 milliseconds,metadataRequestTimeout=5 seconds,drainingCheckInterval=30 milliseconds,connectionCheckerSettings=akka.kafka.ConnectionCheckerSettings(enable=false,maxRetries=3,checkInterval=15 seconds,factor=2.0),partitionHandlerWarning=5 secondsresetProtectionSettings=akka.kafka.OffsetResetProtectionSettings(enable=false,offsetThreshold=9223372036854775807,timeThreshold=100000 days)enrichAsync=None)
@ennru
Copy link
Member

ennru commented Jan 16, 2023

This is not very good on Alpakka Kafka, but having PlainLoginModule print the password in its toString method is rather broken, as well.

@ennru
Copy link
Member

ennru commented Apr 13, 2023

I've now opened #1614 to make sure only non-security affecting properties are logged.

@johanandren johanandren added this to the 4.0.1 milestone Apr 13, 2023
@ennru
Copy link
Member

ennru commented Apr 18, 2023

The fix for this issue is released with Alpakka Kafka 4.0.2 (the 4.0.1 version had an error during the release).

@ennru
Copy link
Member

ennru commented Apr 24, 2023

We've now reported this security problem as CVE-2023-29471.

@esamson
Copy link

esamson commented May 2, 2023

Will the fix be backported to 3.0.x?

@johanandren
Copy link
Member

We do not consider this issue critical and are not planning to backport it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants