Headline
CVE-2023-29471: akka.kafka.internal.KafkaConsumerActor logs credentials on debug level · Issue #1592 · akka/alpakka-kafka
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Versions used
Akka version: 2.6.20
Akka Stream Kafka version: 3.0.1
Expected Behavior
Credentials are not logged in the logs.
Actual Behavior
Credentials from org.apache.kafka.common.security.plain.PlainLoginModule are logged as plaintext.
Relevant logs
Creating Kafka consumer with akka.kafka.ConsumerSettings(properties=(auto.offset.reset,earliest),(bootstrap.servers,kafka:9092),(client.dns.lookup,use_all_dns_ips),(enable.auto.commit,false),(group.id,my-app),(max.poll.records,250),(sasl.jaas.config,org.apache.kafka.common.security.plain.PlainLoginModule required username='FOOBAR' password='FOOBAR';),(sasl.mechanism,PLAIN),(security.protocol,SASL_SSL),keyDeserializer=Some(org.apache.kafka.common.serialization.StringDeserializer@130dc346),valueDeserializer=Some(io.confluent.kafka.serializers.KafkaAvroDeserializer@1dca3f57),pollInterval=50 milliseconds,pollTimeout=50 milliseconds,stopTimeout=0 days,closeTimeout=20 seconds,commitTimeout=15 seconds,commitRefreshInterval=Duration.Inf,dispatcher=akka.kafka.default-dispatcher,commitTimeWarning=1 second,waitClosePartition=500 milliseconds,metadataRequestTimeout=5 seconds,drainingCheckInterval=30 milliseconds,connectionCheckerSettings=akka.kafka.ConnectionCheckerSettings(enable=false,maxRetries=3,checkInterval=15 seconds,factor=2.0),partitionHandlerWarning=5 secondsresetProtectionSettings=akka.kafka.OffsetResetProtectionSettings(enable=false,offsetThreshold=9223372036854775807,timeThreshold=100000 days)enrichAsync=None)