![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1190852 Bug ID: 1190852 Summary: VUL-1: CVE-2021-38153: kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other URL: https://smash.suse.de/issue/310623/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mrostecki@suse.com Reporter: gabriele.sonnu@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38153 http://seclists.org/oss-sec/2021/q3/184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153 http://www.cvedetails.com/cve/CVE-2021-38153/ https://kafka.apache.org/cve-list -- You are receiving this mail because: You are on the CC list for the bug.