Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zajZnLWh4eDUtM3EyNs0V9g
Observable Discrepancy in Apache Kafka
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zajZnLWh4eDUtM3EyNs0V9g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 8 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-3j6g-hxx5-3q26, CVE-2021-38153
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-38153
- https://kafka.apache.org/cve-list
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://support.confluent.io/hc/en-us/articles/4407632156692-CVE-2021-38153-Confluent-Platform-Vulnerability-Timing-attacks
- https://github.com/advisories/GHSA-3j6g-hxx5-3q26
Affected Packages
maven:org.apache.kafka:kafka-clients
Dependent packages: 2,034Dependent repositories: 20,086
Downloads:
Affected Version Ranges: = 2.8.0, >= 2.7.0, < 2.7.2, >= 2.0.0, < 2.6.3
Fixed in: 2.8.1, 2.7.2, 2.6.3
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.6.3, 2.7.2, 2.8.1, 2.8.2, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0
maven:org.apache.kafka:kafka_2.13
Dependent packages: 180Dependent repositories: 780
Downloads:
Affected Version Ranges: = 2.8.0, >= 2.7.0, < 2.7.2, >= 2.4.0, < 2.6.3
Fixed in: 2.8.1, 2.7.2, 2.6.3
All affected versions: 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0
All unaffected versions: 2.6.3, 2.7.2, 2.8.1, 2.8.2, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0
maven:org.apache.kafka:kafka_2.12
Dependent packages: 401Dependent repositories: 2,441
Downloads:
Affected Version Ranges: = 2.8.0, >= 2.7.0, < 2.7.2, >= 2.0.0, < 2.6.3
Fixed in: 2.8.1, 2.7.2, 2.6.3
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.6.3, 2.7.2, 2.8.1, 2.8.2, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0
maven:org.apache.kafka:kafka_2.11
Dependent packages: 618Dependent repositories: 3,806
Downloads:
Affected Version Ranges: >= 2.0.0, <= 2.4.1
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1