CVE-2021-33923

Title

Insecure Permissions set by Confluent Ansible toolset

Product

Confluent Ansible (cp-ansible)

Vulnerable Version

cp-ansible 5.5.0, 5.5.1, 5.5.2, 6.0.0

Fixed Version

cp-ansible >=5.5.3, cp-ansible >=6.0.1 released in December 2020

CVE Number

CVE-2021-33923

Impact

Medium

Homepage

https://docs.confluent.io/ansible/current/overview.html

Credits

Octav Opaschi (Detack GmbH)

Confluent Ansible (cp-ansible) versions prior to 5.5.3 set insecure permissions on some of the sensitive local configuration files of the platform components.

 

Product Description

Ansible Playbooks for Confluent Platform offers a simple way to configure and deploy Confluent Platform. The cp-ansible repository provides the playbooks and templates that allow you to easily provision the Confluent Platform in your environment.

Source: https://docs.confluent.io/ansible/current/overview.html

 

Confluent Platform is a full-scale event streaming platform that enables you to easily access, store, and manage data as continuous, real-time streams. Built by the original creators of Apache Kafka, Confluent expands the benefits of Kafka with enterprise-grade features while removing the burden of Kafka management or monitoring.

Source: https://docs.confluent.io/platform/current/platform.html

 

Vulnerability Description

It was determined that, in the default installations of cp-ansible, prior to version(s) 5.5.3 and 6.0.1, the permissions on some sensitive files (private keys, state database) are too relaxed. This can lead to sensitive information disclosure, and potential key material compromise, in case of a rogue local operating system user.

 

Proof of Concept

N/A

 

Solution / Workaround

The reported vulnerability is fixed in software versions cp-ansible >=5.5.3 and cp-ansible >=6.0.1. It is recommended to update existing software installations to the specified version.