To avoid confusion: all the described issues aren’t with Apache Kafka, but a separate piece of software called “Kafka UI” that is a separate software to Apache Kafka, and isn’t maintained or distributed with it.
> Similar to the previous issue, it took almost six months for developers to implement a fix in version 0.7.2 of Kafka UI. They fixed it by only updating the Apache Commons Collections library to the newer version. While it prevents the second stage of the gadget chain I shared above, the deserialization of untrusted data still can occur.<p>This is concerning, that it took that long for it to be addressed.. also, the changelog involving these issues doesn't exactly inspire confidence because it has fixing the issues marked as a 'chore'[0] - this could cause people to skip the update if they skim it and see the only change was a 'chore' change.<p>[0]: <a href="https://github.com/provectus/kafka-ui/releases/tag/v0.7.2">https://github.com/provectus/kafka-ui/releases/tag/v0.7.2</a><p>Edit: After taking a closer look, the long timeline for the fix makes a little bit more sense - Provectus, the company behind kafka-ui, made a point late last year that they are pausing or otherwise stepping back from active development of the project[1]. I still think that 6 months is a bit of a long time, but with the additional context it seems less like security neglience and more just the project not being anyones' focus.<p>[1]: <a href="https://github.com/provectus/kafka-ui/discussions/4255">https://github.com/provectus/kafka-ui/discussions/4255</a>
Not sure if people are still using Kafka UI. It's essentially unmaintained for a while now.<p>While the release notes of Kafka UI 0.7.2 [1] only mention the security fixes, it contains 1 year (!) worth of changes [2].<p>The designated successor is Kafbat UI [3,4], developed by the same development team which previously worked on Kafka UI.<p>Kafbat UI 1.0.0 [5] already contains a fix for CVE-2023-52251 [6].<p>[1]: <a href="https://github.com/provectus/kafka-ui/releases/tag/v0.7.2">https://github.com/provectus/kafka-ui/releases/tag/v0.7.2</a><p>[2]: <a href="https://github.com/provectus/kafka-ui/compare/v0.7.1...v0.7.2">https://github.com/provectus/kafka-ui/compare/v0.7.1...v0.7....</a><p>[3]: <a href="https://github.com/kafbat/kafka-ui">https://github.com/kafbat/kafka-ui</a><p>[4]: <a href="https://github.com/kafbat/kafka-ui/discussions/23">https://github.com/kafbat/kafka-ui/discussions/23</a><p>[5]: <a href="https://github.com/kafbat/kafka-ui/releases/tag/v1.0.0">https://github.com/kafbat/kafka-ui/releases/tag/v1.0.0</a><p>[6]: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-52251" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2023-52251</a>