You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@kafka.apache.org by rh...@apache.org on 2021/09/21 16:17:35 UTC

[kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375)

This is an automated email from the ASF dual-hosted git repository.

rhauch pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new d4258bd  Add CVE-2021-38153 (#375)
d4258bd is described below

commit d4258bd575d84a60dfb929e2f97a3f7997f0c63d
Author: Randall Hauch <rh...@gmail.com>
AuthorDate: Tue Sep 21 11:17:28 2021 -0500

    Add CVE-2021-38153 (#375)
---
 cve-list.html | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/cve-list.html b/cve-list.html
index ec22cfa..de6d308 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,35 @@
 
 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
 
+<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153">CVE-2021-38153</a>
+Timing Attack Vulnerability for Apache Kafka Connect and Clients</h2>
+
+<p>Some components in Apache Kafka use <code>Arrays.equals</code> to validate a password or key, 
+which is vulnerable to timing attacks that make brute force attacks for such credentials
+more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher
+where this vulnerability has been fixed.</p>
+
+<table class="data-table">
+<tbody>
+  <tr>
+    <td>Versions affected</td>
+    <td>2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0.</td>
+  </tr>
+  <tr>
+    <td>Fixed versions</td>
+    <td>2.8.1, 3.0.0 and later</td>
+  </tr>
+  <tr>
+    <td>Impact</td>
+    <td>This issue could result in privilege escalation.</td>
+  </tr>
+  <tr>
+    <td>Issue announced</td>
+    <td>21 Sep 2021</td>
+  </tr>
+</tbody>
+</table>
+
 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a>
 Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint</h2>