Critical Vulnerability Information Vulnerability Title All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters Vulnerability ID GHSA-6x85-j2f7-4xc5 Affected Software and Versions Package: Strimzi Cluster Operator and Kafka container images (Container images) Affected versions: >= 0.47.0 Patched versions: 0.50.1, 0.51.0 Impact Description Impact: When configuring trusted certificates in Kafka Connect or Kafka MirrorMaker 2 using a CA chain containing multiple CA certificates, all CAs in the chain are individually trusted when connecting to an Apache Kafka cluster. This causes affected components to accept server certificates signed by any CA in the chain, not just the last CA in the chain. Severity Severity: Moderate (5.9/10) CVSS v3 Base Metrics: - Attack vector: Network - Attack complexity: High - Privileges required: High - User interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: None Workarounds and Remediation Patches: This issue has been fixed in Strimzi 0.50.1. Workarounds: Users can provide a single CA certificate instead of the entire CA chain when configuring trusted certificates. CWE Categories CWE-295 CWE-296 References n/a Credit Reporter: scholzj Remediation reviewers: - ppatierno - katheris - tinaselenge