You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ma...@apache.org on 2022/09/19 15:51:47 UTC

[kafka-site] branch asf-site updated: MINOR: Update CVE-2022-34917 details

This is an automated email from the ASF dual-hosted git repository.

manikumar pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 25a1407b MINOR: Update CVE-2022-34917 details
25a1407b is described below

commit 25a1407bb7f0596b226a1d9a7060f8d4ef3cc975
Author: Manikumar Reddy <ma...@gmail.com>
AuthorDate: Tue Sep 6 02:53:25 2022 +0530

    MINOR: Update CVE-2022-34917 details
---
 cve-list.html | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/cve-list.html b/cve-list.html
index dbca2886..2c4bf6ee 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,40 @@
 
 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
 
+      <h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917">CVE-2022-34917</a> Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
+
+      <p>This CVE identified a flaw where it allows the malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and
+        causing denial of service.</p>
+
+      <table class="data-table">
+        <tbody>
+        <tr>
+          <td>Versions affected</td>
+          <td>2.8.0 - 2.8.1, 3.0.0 - 3.0.1, 3.1.0 - 3.1.1, 3.2.0 - 3.2.1</td>
+        </tr>
+        <tr>
+          <td>Fixed versions</td>
+          <td>2.8.2, 3.0.2, 3.1.2, 3.2.3</td>
+        </tr>
+        <tr>
+          <td>Impact</td>
+          <td>Example scenarios in which attacker can cause OutOfMemoryError on brokers<br>
+            - Kafka cluster without authentication: Any clients able to establish
+            a network connection to a broker can trigger the issue.<br>
+            - Kafka cluster with SASL authentication: Any clients able to
+            establish a network connection to a broker, without the need for valid
+            SASL credentials, can trigger the issue.<br>
+            - Kafka cluster with TLS authentication: Only clients able to
+            successfully authenticate via TLS can trigger the issue.<br>
+          </td>
+        </tr>
+        <tr>
+          <td>Issue announced</td>
+          <td>19 Sep 2022</td>
+        </tr>
+        </tbody>
+      </table>
+
 <h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</a> Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging library in versions 1.x</h2>
 
   <p>This CVE identified a flaw where it allows the attacker to provide a TopicConnectionFactoryBindingName configuration that will cause JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.</p>