[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients
From:       Randall Hauch <rhauch () apache ! org>
Date:       2021-09-21 16:33:57
Message-ID: de8ffe7a-5058-ccb8-f3a8-c59a6564ed9c () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

Some components in Apache Kafka use `Arrays.equals` to validate a password =
or key, which is vulnerable to timing attacks that make brute force attacks=
 for such credentials more likely to be successful. Users should upgrade to=
 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been =
fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.=
1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.=
6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Credit:

Apache Kafka would like to thank J. Santilli for reporting this issue.

References:

https://kafka.apache.org/cve-list

[prev in list] [next in list] [prev in thread] [next in thread]