[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients
From: Randall Hauch <rhauch () apache ! org>
Date: 2021-09-21 16:33:57
Message-ID: de8ffe7a-5058-ccb8-f3a8-c59a6564ed9c () apache ! org
[Download RAW message or body]
Severity: moderate
Description:
Some components in Apache Kafka use `Arrays.equals` to validate a password =
or key, which is vulnerable to timing attacks that make brute force attacks=
for such credentials more likely to be successful. Users should upgrade to=
2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been =
fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.=
1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.=
6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Credit:
Apache Kafka would like to thank J. Santilli for reporting this issue.
References:
https://kafka.apache.org/cve-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic