Vulnerability Description
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Kafka | 2.0.0 |
| Oracle | Banking Corporate Lending Process Management | 14.1.0 |
| Oracle | Banking Credit Facilities Process Management | 14.1.0 |
| Oracle | Banking Liquidity Management | >= 14.0.0, <= 14.4.0 |
| Oracle | Banking Payments | 14.4.0 |
| Oracle | Banking Platform | 2.7.0 |
| Oracle | Banking Supply Chain Finance | >= 14.2.0, <= 14.4.0 |
| Oracle | Banking Trade Finance Process Management | 14.1.0 |
| Oracle | Banking Virtual Account Management | 14.1.0 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Communications Cloud Native Core Policy | 1.9.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Universal Banking | 14.4.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/01/14/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d
- https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d7
- https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc
- https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0
- https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7f
- https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bf
- https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a18
- https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fe
- https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1
- https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1
- https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c
- https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5e
- https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc2
FAQ
What is CVE-2019-12399?
CVE-2019-12399 is a vulnerability with a CVSS score of 7.5 (HIGH). When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to ...
How severe is CVE-2019-12399?
CVE-2019-12399 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12399?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Kafka, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Liquidity Management, Oracle Banking Payments.