Some components in Apache Kafka use Arrays.equals
to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Kafka | Apache | 2.0.0 (including) | 2.6.3 (excluding) |
Kafka | Apache | 2.7.0 (including) | 2.7.2 (excluding) |
Kafka | Apache | 2.8.0 (including) | 2.8.0 (including) |
Red Hat AMQ Streams 1.6.6 | RedHat | kafka | * |
Red Hat AMQ Streams 1.6.6 | RedHat | kafka-clients | * |
Red Hat AMQ Streams 2.0.0 | RedHat | kafka | * |
Red Hat build of Quarkus 2.2.5 | RedHat | kafka-clients | * |
Red Hat Data Grid 8.3.1 | RedHat | kafka-clients | * |
Red Hat Fuse 7.11 | RedHat | kafka-clients | * |
RHAF Camel-K 1.8 | RedHat | kafka-clients | * |
RHINT Camel-Q 2.7 | RedHat | kafka-clients | * |
RHINT Service Registry 2.0.3 GA | RedHat | kafka-clients | * |
Vert.x 4.2.5 | RedHat | kafka | * |
Vert.x 4.2.5 | RedHat | kafka-clients | * |
Kafka | Ubuntu | esm-apps/bionic | * |
Kafka | Ubuntu | trusty | * |
Kafka | Ubuntu | xenial | * |