Hi Randall,
Could you please share the JIRA ticket or the fixing commit? It might help
to evaluate the impact better.
Thank you!
Ivan
On Tue, 21 Sept 2021 at 19:37, Randall Hauch <rhauch@apache.org> wrote:
> Severity: moderate
>
> Description:
>
> Some components in Apache Kafka use `Arrays.equals` to validate a
> password or key, which is vulnerable to timing attacks that make brute
> force attacks for such credentials more likely to be successful. Users
> should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this
> vulnerability has been fixed. The affected versions include Apache
> Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1,
> 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and
> 2.8.0.
>
> Credit:
>
> Apache Kafka would like to thank J. Santilli for reporting this issue.
>
> References:
> https://kafka.apache.org/cve-list
>
Could you please share the JIRA ticket or the fixing commit? It might help
to evaluate the impact better.
Thank you!
Ivan
On Tue, 21 Sept 2021 at 19:37, Randall Hauch <rhauch@apache.org> wrote:
> Severity: moderate
>
> Description:
>
> Some components in Apache Kafka use `Arrays.equals` to validate a
> password or key, which is vulnerable to timing attacks that make brute
> force attacks for such credentials more likely to be successful. Users
> should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this
> vulnerability has been fixed. The affected versions include Apache
> Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1,
> 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and
> 2.8.0.
>
> Credit:
>
> Apache Kafka would like to thank J. Santilli for reporting this issue.
>
> References:
> https://kafka.apache.org/cve-list
>
Comments
Post a Comment