Title |
Insecure Permissions set by Confluent Ansible toolset |
Product |
Confluent Ansible (cp-ansible) |
Vulnerable Version |
cp-ansible 5.5.0, 5.5.1, 5.5.2, 6.0.0 |
Fixed Version |
cp-ansible >=5.5.3, cp-ansible >=6.0.1 released in December 2020 |
CVE Number |
CVE-2021-33923 |
Impact |
Medium |
Homepage |
https://docs.confluent.io/ansible/current/overview.html |
Credits |
Octav Opaschi (Detack GmbH) |
Confluent Ansible (cp-ansible) versions prior to 5.5.3 set insecure permissions on some of the sensitive local configuration files of the platform components.
Ansible Playbooks for Confluent Platform offers a simple way to configure and deploy Confluent Platform. The cp-ansible repository provides the playbooks and templates that allow you to easily provision the Confluent Platform in your environment.
Source: https://docs.confluent.io/ansible/current/overview.html
Confluent Platform is a full-scale event streaming platform that enables you to easily access, store, and manage data as continuous, real-time streams. Built by the original creators of Apache Kafka, Confluent expands the benefits of Kafka with enterprise-grade features while removing the burden of Kafka management or monitoring.
Source: https://docs.confluent.io/platform/current/platform.html
It was determined that, in the default installations of cp-ansible, prior to version(s) 5.5.3 and 6.0.1, the permissions on some sensitive files (private keys, state database) are too relaxed. This can lead to sensitive information disclosure, and potential key material compromise, in case of a rogue local operating system user.
N/A
The reported vulnerability is fixed in software versions cp-ansible >=5.5.3 and cp-ansible >=6.0.1. It is recommended to update existing software installations to the specified version.