Timing Attack Vulnerability for Apache Kafka Connect and Clients
CVE-2021-38153

5.9MEDIUM

Key Information:

Vendor

Apache
Status
Apache Kafka
Vendor
CVE Published:
22 September 2021

What is CVE-2021-38153?

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Kafka Apache Kafka 2.0.x <= 2.0.1

Apache Kafka Apache Kafka 2.1.x <= 2.1.1

Apache Kafka Apache Kafka 2.2.x <= 2.2.2

References

https://kafka.apache.org/cve-list
x_refsource_MISC
https://lists.apache.org/thread.html/r35322aec467ddae3400...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e4...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Apache Kafka would like to thank J. Santilli for reporting this issue.
JSON
.