You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Rajini Sivaram <ra...@gmail.com> on 2018/07/26 09:25:22 UTC

CVE-2018-1288: Authenticated Kafka clients may interfere with data replication

CVE-2018-1288: Authenticated Kafka clients may interfere with data
replication



Severity: Moderate



Vendor: The Apache Software Foundation



Versions Affected:

Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to
0.11.0.2, 1.0.0



Description:

Authenticated Kafka users may perform action reserved for the Broker via a
manually created fetch request interfering with data replication, resulting
in data loss.



Mitigation:

Apache Kafka users should upgrade to one of the following versions where
this vulnerability has been fixed.


   - 0.10.2.2 or higher
   - 0.11.0.3 or higher
   - 1.0.1 or higher
   - 1.1.0 or higher



Acknowledgements:

We would like to thank Edoardo Comar and Mickael Maison for reporting this
issue and providing a resolution.



Regards,


Rajini

Re: CVE-2018-1288: Authenticated Kafka clients may interfere with data replication

Posted by Mickael Maison <mi...@gmail.com>.

Thanks Rajini and the rest of the security team for handling this issue.

For people interested in more details about the issue and its
discovery we've published a blog post:
https://developer.ibm.com/dwblog/2018/anatomy-kafka-cve/

On Thu, Jul 26, 2018 at 10:25 AM, Rajini Sivaram
<ra...@gmail.com> wrote:
>
> CVE-2018-1288: Authenticated Kafka clients may interfere with data
> replication
>
>
>
> Severity: Moderate
>
>
>
> Vendor: The Apache Software Foundation
>
>
>
> Versions Affected:
>
> Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2,
> 1.0.0
>
>
>
> Description:
>
> Authenticated Kafka users may perform action reserved for the Broker via a
> manually created fetch request interfering with data replication, resulting
> in data loss.
>
>
>
> Mitigation:
>
> Apache Kafka users should upgrade to one of the following versions where
> this vulnerability has been fixed.
>
> 0.10.2.2 or higher
> 0.11.0.3 or higher
> 1.0.1 or higher
> 1.1.0 or higher
>
>
>
> Acknowledgements:
>
> We would like to thank Edoardo Comar and Mickael Maison for reporting this
> issue and providing a resolution.
>
>
>
> Regards,
>
>
> Rajini

Fwd: CVE-2018-1288: Authenticated Kafka clients may interfere with data replication

Posted by Rajini Sivaram <rs...@apache.org>.

CVE-2018-1288: Authenticated Kafka clients may interfere with data
replication



Severity: Moderate



Vendor: The Apache Software Foundation



Versions Affected:

Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to
0.11.0.2, 1.0.0



Description:

Authenticated Kafka users may perform action reserved for the Broker via a
manually created fetch request interfering with data replication, resulting
in data loss.



Mitigation:

Apache Kafka users should upgrade to one of the following versions where
this vulnerability has been fixed.


   - 0.10.2.2 or higher
   - 0.11.0.3 or higher
   - 1.0.1 or higher
   - 1.1.0 or higher



Acknowledgements:

We would like to thank Edoardo Comar and Mickael Maison for reporting this
issue and providing a resolution.



Regards,


Rajini

Re: CVE-2018-1288: Authenticated Kafka clients may interfere with data replication

Posted by Mickael Maison <mi...@gmail.com>.

Thanks Rajini and the rest of the security team for handling this issue.

For people interested in more details about the issue and its
discovery we've published a blog post:
https://developer.ibm.com/dwblog/2018/anatomy-kafka-cve/

On Thu, Jul 26, 2018 at 10:25 AM, Rajini Sivaram
<ra...@gmail.com> wrote:
>
> CVE-2018-1288: Authenticated Kafka clients may interfere with data
> replication
>
>
>
> Severity: Moderate
>
>
>
> Vendor: The Apache Software Foundation
>
>
>
> Versions Affected:
>
> Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2,
> 1.0.0
>
>
>
> Description:
>
> Authenticated Kafka users may perform action reserved for the Broker via a
> manually created fetch request interfering with data replication, resulting
> in data loss.
>
>
>
> Mitigation:
>
> Apache Kafka users should upgrade to one of the following versions where
> this vulnerability has been fixed.
>
> 0.10.2.2 or higher
> 0.11.0.3 or higher
> 1.0.1 or higher
> 1.1.0 or higher
>
>
>
> Acknowledgements:
>
> We would like to thank Edoardo Comar and Mickael Maison for reporting this
> issue and providing a resolution.
>
>
>
> Regards,
>
>
> Rajini