You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Ivan Yurchenko <iv...@gmail.com> on 2021/09/22 04:54:35 UTC
Re: CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka
Connect and Clients
Hi Randall,
Could you please share the JIRA ticket or the fixing commit? It might help
to evaluate the impact better.
Thank you!
Ivan
On Tue, 21 Sept 2021 at 19:37, Randall Hauch <rh...@apache.org> wrote:
> Severity: moderate
>
> Description:
>
> Some components in Apache Kafka use `Arrays.equals` to validate a
> password or key, which is vulnerable to timing attacks that make brute
> force attacks for such credentials more likely to be successful. Users
> should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this
> vulnerability has been fixed. The affected versions include Apache
> Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1,
> 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and
> 2.8.0.
>
> Credit:
>
> Apache Kafka would like to thank J. Santilli for reporting this issue.
>
> References:
> https://kafka.apache.org/cve-list
>