Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2021-09-22T09:05:11
Updated: 2024-08-04T01:37:15.929Z
Reserved: 2021-08-06T00:00:00
Link: CVE-2021-38153
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-09-22T09:15:07.847
Modified: 2024-11-21T06:16:30.110
Link: CVE-2021-38153
Redhat