Bug ID 1190852
Summary VUL-1: CVE-2021-38153: kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.3
Hardware Other
URL https://smash.suse.de/issue/310623/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee mrostecki@suse.com
Reporter gabriele.sonnu@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker --- 

Some components in Apache Kafka use `Arrays.equals` to validate a password or
key, which is vulnerable to timing attacks that make brute force attacks for
such credentials more likely to be successful. Users should upgrade to 2.8.1 or
higher, or 3.0.0 or higher where this vulnerability has been fixed. The
affected
versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2,
2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1,
and
2.8.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38153
http://seclists.org/oss-sec/2021/q3/184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153
http://www.cvedetails.com/cve/CVE-2021-38153/
https://kafka.apache.org/cve-list

You are receiving this mail because: