Improper Input Validation Affecting org.apache.pulsar:pulsar-proxy package, versions [,2.7.5) [2.8.0,2.8.3) [2.9.0,2.9.2)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHEPULSAR-3031779
- published 23 Sep 2022
- disclosed 23 Sep 2022
- credit Lari Hotari
Introduced: 23 Sep 2022
CVE-2022-24280 Open this link in a new tabHow to fix?
Upgrade org.apache.pulsar:pulsar-proxy to version 2.7.5, 2.8.3, 2.9.2 or higher.
Overview
Affected versions of this package are vulnerable to Improper Input Validation by allowing an attacker to send TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy.
Mitigation:
To address the issue, upgraded versions of Apache Pulsar Proxy will only allow connections to known broker ports 6650 and 6651 by default. In addition, it is necessary to limit proxied broker connections further to known broker addresses by specifying brokerProxyAllowedHostNames and brokerProxyAllowedIPAddresses Pulsar Proxy settings.
In Pulsar Helm chart deployments, the setting names should be prefixed with "PULSAR_PREFIX_".