Timing Attack Vulnerability for Apache Kafka Connect and Clients
CVE-2021-38153

5.9MEDIUM

Key Information:

Vendor
Apache
Status
Apache Kafka
Vendor
CVE Published:
22 September 2021

Summary

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Affected Version(s)

Apache Kafka Apache Kafka 2.0.x <= 2.0.1

Apache Kafka Apache Kafka 2.1.x <= 2.1.1

Apache Kafka Apache Kafka 2.2.x <= 2.2.2

References

https://kafka.apache.org/cve-list
x_refsource_MISC
https://lists.apache.org/thread.html/r35322aec467ddae3400...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e4...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Apache Kafka would like to thank J. Santilli for reporting this issue.
.