#28676 Securing Kafka client configuration against SSRF and file reads (CVE-2025-27817)

Enhancement

Major

#28593

Baumselektions-Modell mit Teilbaum-Selektionslogik

#28695

Selektionsfilter für (Tree-)tables und -grids im Layout-Editor einstellen

#28704

Optimized access to table FLEX_DATA for some DBs

Detail

#28613

"DefaultFor" Konfigurationsoption im "advanceProcess"-Template für BPE

#28679

Dynamic labels for FormTableDefinition

#28705

Close Formlar dialogs on Cancel

#28712

Test can set whether warnings lead to failure

Nice to have

#28588

Option to mark tables in forms as non-selectable

Bugfix

Major

#28673

Vulnerability in commons-beanutils (CVE-2025-48734)

#28675

Opening Excel-Scripts in Script Recorder fails when starting from command line

#28676

Securing Kafka client configuration against SSRF and file reads (CVE-2025-27817)

#28684

DoS vulnerability in Apache Commons FileUpload (CVE-2025-48976)

#28692

ClassCastException in the ActiveTaskComponent

#28700

Security gap in workflow transitions - Unauthorized processing after task completion

#28739

TL script method filterPermission must not be evaluated at compile time

Detail

#28331

Incorrect update type creation in tUpdate leads to ignoring of hidden attribute changes

#28617

Bug: Post-Create-Actions fehlen bei Prozess-Start ohne Prüfung

#28640

Mandatory Multiline fields do not have a blue line

#28665

Calculated attributes are not updated when tables are changed

#28666

Fehlender DisplayContext nach BinaryDataSource-Conversion

#28667

Pipe closed Error when sending mail due to double rendering of content without EncodingAware interface

#28671

ExcelWriter methods are missing

#28686

REST routing: Shorter paths are prioritized over longer paths and cause incorrect route matching

#28690

Create in currency administration has wrong command group

#28698

Executability rule is checked on deleted object

#28706

Form tables exceed container width

#28707

Falsches Dirty-Handling im SelectTransitionDialog (BPE)

#28724

Selection filter must not be evaluated on deleted objects

#28726

Unique-Constraint-Violation bei mehrfacher Anwendung des MoveObjectsProcessor

Nice to have

#28458

Falsche Abfrage, ob Komponente Multi-Selektion unterstützt

Bugfix

Major

#28676

Securing Kafka client configuration against SSRF and file reads (CVE-2025-27817)

SecurityIssue TLKafka

Problem description

In the current Apache Kafka version (< 3.9.1), there is a potential security vulnerability related to the configuration of Kafka clients when using SASL/OAUTHBEARER:

The Kafka clients accept the configuration parameters:

sasl.oauthbearer.token.endpoint.url

sasl.oauthbearer.jwks.endpoint.url

These URLs are used to retrieve tokens or JWKs during authentication.

The transferred values could previously contain arbitrary URLs (e.g. file:///etc/passwd, http://localhost/internal-api), which could lead to arbitrary file read or SSRF (Server Side Request Forgery), especially if configurations come from insecure sources (e.g. SaaS integrations, external UIs or Kafka Connect REST APIs).

Solution

As of version 3.9.1, a new security measure has been introduced:

The new system property org.apache.kafka.sasl.oauthbearer.allowed.urls allows you to specify a whitelist of allowed URLs.

In 3.9.1, this whitelist is empty by default (= all URLs allowed) in order to remain downward compatible. As of version 4.0.0, all URLs are blocked unless explicitly allowed.

Aim of this ticket

Upgrade the Kafka client version used from 3.9.0 to 3.9.1
Introduction of the property: -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls
This property must be configurable by the application, as customers or deployments use different OAuth endpoints.
The property must accept multiple URLs (whitelist), in the form of a comma-separated list without spaces.

Example value: -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls=https://auth.example.com/token,https://auth.example.com/jwks

The property sasl.oauthbearer.token.endpoint.url remains necessary for the functionality of Kafka authentication. It still specifies where the access token is retrieved. The only new feature is that this URL is now compared with the whitelist (allowed.urls).

The token.endpoint.url may therefore only use values contained in the whitelist, otherwise access is blocked.

Implementation

Upgrade Kafka client to version 3.9.1
Introduce new configuration option for org.apache.kafka.sasl.oauthbearer.allowed.urls
Implement configuration as a list of permitted URLs (multiple values permitted)
Validation: token.endpoint.url and jwks.endpoint.url must match this whitelist
Protection at operating system level against unwanted file URLs