You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Rajini Sivaram <rs...@apache.org> on 2018/07/26 09:19:45 UTC
CVE-2017-12610: Authenticated Kafka clients may impersonate other users
CVE-2017-12610: Authenticated Kafka clients may impersonate other users
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Kafka 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1
Description:
Authenticated Kafka clients may use impersonation via a manually crafted
protocol message with SASL/PLAIN or SASL/SCRAM authentication when using
the built-in PLAIN or SCRAM server implementations in Apache Kafka.
Mitigation:
Apache Kafka users should upgrade to one of the following versions where
this vulnerability has been fixed:
- 0.10.2.2 or higher
- 0.11.0.2 or higher
- 1.0.0 or higher
Acknowledgements:
This issue was reported by Rajini Sivaram.
Regards,
Rajini