[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2017-12610: Authenticated Kafka clients may impersonate other users
From:       Rajini Sivaram <rsivaram () apache ! org>
Date:       2018-07-26 9:19:45
Message-ID: CAOJcB383nmC+pxBXoc2JcuD4TXgQrvgjCuovNavmt6sFs4+sBQ () mail ! gmail ! com
[Download RAW message or body]


CVE-2017-12610: Authenticated Kafka clients may impersonate other users


Severity: Moderate



Vendor: The Apache Software Foundation



Versions Affected:

Apache Kafka 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1



Description:

Authenticated Kafka clients may use impersonation via a manually crafted
protocol message with SASL/PLAIN or SASL/SCRAM authentication when using
the built-in PLAIN or SCRAM server implementations in Apache Kafka.



Mitigation:

Apache Kafka users should upgrade to one of the following versions where
this vulnerability has been fixed:


   - 0.10.2.2 or higher
   - 0.11.0.2 or higher
   - 1.0.0 or higher



Acknowledgements:

This issue was reported by Rajini Sivaram.



Regards,


Rajini


[prev in list] [next in list] [prev in thread] [next in thread]