You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ma...@apache.org on 2022/09/19 15:51:47 UTC
[kafka-site] branch asf-site updated: MINOR: Update CVE-2022-34917 details
This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 25a1407b MINOR: Update CVE-2022-34917 details
25a1407b is described below
commit 25a1407bb7f0596b226a1d9a7060f8d4ef3cc975
Author: Manikumar Reddy <ma...@gmail.com>
AuthorDate: Tue Sep 6 02:53:25 2022 +0530
MINOR: Update CVE-2022-34917 details
---
cve-list.html | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index dbca2886..2c4bf6ee 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,40 @@
This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
+ <h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917">CVE-2022-34917</a> Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
+
+ <p>This CVE identified a flaw where it allows the malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and
+ causing denial of service.</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>2.8.0 - 2.8.1, 3.0.0 - 3.0.1, 3.1.0 - 3.1.1, 3.2.0 - 3.2.1</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>2.8.2, 3.0.2, 3.1.2, 3.2.3</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>Example scenarios in which attacker can cause OutOfMemoryError on brokers<br>
+ - Kafka cluster without authentication: Any clients able to establish
+ a network connection to a broker can trigger the issue.<br>
+ - Kafka cluster with SASL authentication: Any clients able to
+ establish a network connection to a broker, without the need for valid
+ SASL credentials, can trigger the issue.<br>
+ - Kafka cluster with TLS authentication: Only clients able to
+ successfully authenticate via TLS can trigger the issue.<br>
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>19 Sep 2022</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</a> Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows the attacker to provide a TopicConnectionFactoryBindingName configuration that will cause JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.</p>