CVE-2021-38153

Observable Discrepancy in maven/org.apache.kafka/kafka-clients

Identifiers

GHSA-3j6g-hxx5-3q26, CVE-2021-38153

Package Slug

maven/org.apache.kafka/kafka-clients

Vulnerability

Observable Discrepancy

Description

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Affected Versions

All versions starting from 2.0.0 before 2.6.3, all versions starting from 2.7.0 before 2.7.2, version 2.8.0

Solution

Upgrade to versions 2.6.3, 2.7.2, 2.8.1 or above.

Last Modified

2023-09-06

source