CVE-2021-38153 - Vulnerability Details

Vendors	Products
Apache	Kafka
Oracle	Communications Brm - Elastic Charging Engine Communications Cloud Native Core Policy Financial Services Analytical Applications Infrastructure Financial Services Behavior Detection Platform Financial Services Enterprise Case Management Primavera Unifier
Quarkus	Quarkus
Redhat	Amq Streams Camel Quarkus Integration Jboss Data Grid Jboss Fuse Openshift Application Runtimes Service Registry

Package	CPE	Advisory	Released Date
Red Hat AMQ Streams 1.6.6
kafka	cpe:/a:redhat:amq_streams:1	RHSA-2022:0219	2022-01-20T00:00:00Z
kafka-clients	cpe:/a:redhat:amq_streams:1	RHSA-2022:0219	2022-01-20T00:00:00Z
Red Hat AMQ Streams 2.0.0
kafka	cpe:/a:redhat:amq_streams:2	RHSA-2022:0138	2022-01-13T00:00:00Z
Red Hat build of Quarkus 2.2.5
kafka-clients	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:0589	2022-02-21T00:00:00Z
Red Hat Data Grid 8.3.1
kafka-clients	cpe:/a:redhat:jboss_data_grid:8	RHSA-2022:2232	2022-05-12T00:00:00Z
Red Hat Fuse 7.11
kafka-clients	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z
RHAF Camel-K 1.8
kafka-clients	cpe:/a:redhat:integration:1	RHSA-2022:6407	2022-09-09T00:00:00Z
RHINT Camel-Q 2.7
kafka-clients	cpe:/a:redhat:camel_quarkus:2.7	RHSA-2022:5606	2022-07-19T00:00:00Z
RHINT Service Registry 2.0.3 GA
kafka-clients	cpe:/a:redhat:service_registry:2.0.3	RHSA-2022:0501	2022-02-09T00:00:00Z
Vert.x 4.2.5
kafka	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:0737	2022-03-31T00:00:00Z
kafka-clients	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:0737	2022-03-31T00:00:00Z

Link	Providers
https://kafka.apache.org/cve-list
https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2021-38153
https://www.cve.org/CVERecord?id=CVE-2021-38153
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Apache Kafka", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.0.1", "status": "affected", "version": "Apache Kafka 2.0.x", "versionType": "custom"}, {"lessThanOrEqual": "2.1.1", "status": "affected", "version": "Apache Kafka 2.1.x", "versionType": "custom"}, {"lessThanOrEqual": "2.2.2", "status": "affected", "version": "Apache Kafka 2.2.x", "versionType": "custom"}, {"lessThanOrEqual": "2.3.1", "status": "affected", "version": "Apache Kafka 2.3.x", "versionType": "custom"}, {"lessThanOrEqual": "2.4.1", "status": "affected", "version": "Apache Kafka 2.4.x", "versionType": "custom"}, {"lessThanOrEqual": "2.5.1", "status": "affected", "version": "Apache Kafka 2.5.x", "versionType": "custom"}, {"lessThanOrEqual": "2.6.2", "status": "affected", "version": "Apache Kafka 2.6.x", "versionType": "custom"}, {"lessThanOrEqual": "2.7.1", "status": "affected", "version": "Apache Kafka 2.7.x", "versionType": "custom"}, {"lessThanOrEqual": "2.8.0", "status": "affected", "version": "Apache Kafka 2.8.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Kafka would like to thank J. Santilli for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:31:36", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://kafka.apache.org/cve-list"}, {"name": "[kafka-dev] 20211007 Re: CVE Back Port?", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Timing Attack Vulnerability for Apache Kafka Connect and Clients", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-38153", "STATE": "PUBLIC", "TITLE": "Timing Attack Vulnerability for Apache Kafka Connect and Clients"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Kafka", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache Kafka 2.0.x", "version_value": "2.0.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.1.x", "version_value": "2.1.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.2.x", "version_value": "2.2.2"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.3.x", "version_value": "2.3.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.4.x", "version_value": "2.4.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.5.x", "version_value": "2.5.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.6.x", "version_value": "2.6.2"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.7.x", "version_value": "2.7.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.8.x", "version_value": "2.8.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Kafka would like to thank J. Santilli for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-203 Observable Discrepancy"}]}]}, "references": {"reference_data": [{"name": "https://kafka.apache.org/cve-list", "refsource": "MISC", "url": "https://kafka.apache.org/cve-list"}, {"name": "[kafka-dev] 20211007 Re: CVE Back Port?", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:15.929Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kafka.apache.org/cve-list"}, {"name": "[kafka-dev] 20211007 Re: CVE Back Port?", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-38153", "datePublished": "2021-09-22T09:05:11", "dateReserved": "2021-08-06T00:00:00", "dateUpdated": "2024-08-04T01:37:15.929Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Apache Kafka (string)

vendor : Apache Software Foundation (string)

versions : [ »

0 : { »

lessThanOrEqual : 2.0.1 (string)

status : affected (string)

version : Apache Kafka 2.0.x (string)

versionType : custom (string)

}

1 : { »

lessThanOrEqual : 2.1.1 (string)

status : affected (string)

version : Apache Kafka 2.1.x (string)

versionType : custom (string)

}

2 : { »

lessThanOrEqual : 2.2.2 (string)

status : affected (string)

version : Apache Kafka 2.2.x (string)

versionType : custom (string)

}

3 : { »

lessThanOrEqual : 2.3.1 (string)

status : affected (string)

version : Apache Kafka 2.3.x (string)

versionType : custom (string)

}

4 : { »

lessThanOrEqual : 2.4.1 (string)

status : affected (string)

version : Apache Kafka 2.4.x (string)

versionType : custom (string)

}

5 : { »

lessThanOrEqual : 2.5.1 (string)

status : affected (string)

version : Apache Kafka 2.5.x (string)

versionType : custom (string)

}

6 : { »

lessThanOrEqual : 2.6.2 (string)

status : affected (string)

version : Apache Kafka 2.6.x (string)

versionType : custom (string)

}

7 : { »

lessThanOrEqual : 2.7.1 (string)

status : affected (string)

version : Apache Kafka 2.7.x (string)

versionType : custom (string)

}

8 : { »

lessThanOrEqual : 2.8.0 (string)

status : affected (string)

version : Apache Kafka 2.8.x (string)

versionType : custom (string)

}

]

}

]

credits : [ »

0 : { »

lang : en (string)

value : Apache Kafka would like to thank J. Santilli for reporting this issue. (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. (string)

}

]

metrics : [ »

0 : { »

other : { »

content : { »

other : moderate (string)

}

type : unknown (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-203 (string)

description : CWE-203 Observable Discrepancy (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2022-07-25T16:31:36 (string)

orgId : f0158376-9dc2-43b6-827c-5f631a4d8d09 (string)

shortName : apache (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://kafka.apache.org/cve-list (string)

}

1 : { »

name : [kafka-dev] 20211007 Re: CVE Back Port? (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E (string)

}

2 : { »

name : [kafka-dev] 20211012 [VOTE] 2.6.3 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E (string)

}

3 : { »

name : [kafka-users] 20211012 [VOTE] 2.6.3 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E (string)

}

4 : { »

name : [kafka-users] 20211012 [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E (string)

}

5 : { »

name : [kafka-dev] 20211012 [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E (string)

}

6 : { »

name : [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E (string)

}

7 : { »

name : [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E (string)

}

8 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.oracle.com/security-alerts/cpujan2022.html (string)

}

9 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.oracle.com/security-alerts/cpuapr2022.html (string)

}

10 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.oracle.com/security-alerts/cpujul2022.html (string)

}

]

source : { »

discovery : UNKNOWN (string)

}

title : Timing Attack Vulnerability for Apache Kafka Connect and Clients (string)

x_generator : { »

engine : Vulnogram 0.0.9 (string)

}

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@apache.org (string)

ID : CVE-2021-38153 (string)

STATE : PUBLIC (string)

TITLE : Timing Attack Vulnerability for Apache Kafka Connect and Clients (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Apache Kafka (string)

version : { »

version_data : [ »

0 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.0.x (string)

version_value : 2.0.1 (string)

}

1 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.1.x (string)

version_value : 2.1.1 (string)

}

2 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.2.x (string)

version_value : 2.2.2 (string)

}

3 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.3.x (string)

version_value : 2.3.1 (string)

}

4 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.4.x (string)

version_value : 2.4.1 (string)

}

5 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.5.x (string)

version_value : 2.5.1 (string)

}

6 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.6.x (string)

version_value : 2.6.2 (string)

}

7 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.7.x (string)

version_value : 2.7.1 (string)

}

8 : { »

version_affected : <= (string)

version_name : Apache Kafka 2.8.x (string)

version_value : 2.8.0 (string)

}

]

}

]

}

vendor_name : Apache Software Foundation (string)

}

]

}

credit : [ »

0 : { »

lang : eng (string)

value : Apache Kafka would like to thank J. Santilli for reporting this issue. (string)

}

]

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. (string)

}

]

}

generator : { »

engine : Vulnogram 0.0.9 (string)

}

impact : [ »

0 : { »

other : moderate (string)

}

]

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-203 Observable Discrepancy (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://kafka.apache.org/cve-list (string)

refsource : MISC (string)

url : https://kafka.apache.org/cve-list (string)

}

1 : { »

name : [kafka-dev] 20211007 Re: CVE Back Port? (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E (string)

}

2 : { »

name : [kafka-dev] 20211012 [VOTE] 2.6.3 RC0 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E (string)

}

3 : { »

name : [kafka-users] 20211012 [VOTE] 2.6.3 RC0 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E (string)

}

4 : { »

name : [kafka-users] 20211012 [VOTE] 2.7.2 RC0 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E (string)

}

5 : { »

name : [kafka-dev] 20211012 [VOTE] 2.7.2 RC0 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E (string)

}

6 : { »

name : [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E (string)

}

7 : { »

name : [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E (string)

}

8 : { »

name : https://www.oracle.com/security-alerts/cpujan2022.html (string)

refsource : MISC (string)

url : https://www.oracle.com/security-alerts/cpujan2022.html (string)

}

9 : { »

name : https://www.oracle.com/security-alerts/cpuapr2022.html (string)

refsource : MISC (string)

url : https://www.oracle.com/security-alerts/cpuapr2022.html (string)

}

10 : { »

name : https://www.oracle.com/security-alerts/cpujul2022.html (string)

refsource : MISC (string)

url : https://www.oracle.com/security-alerts/cpujul2022.html (string)

}

]

}

source : { »

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T01:37:15.929Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://kafka.apache.org/cve-list (string)

}

1 : { »

name : [kafka-dev] 20211007 Re: CVE Back Port? (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E (string)

}

2 : { »

name : [kafka-dev] 20211012 [VOTE] 2.6.3 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E (string)

}

3 : { »

name : [kafka-users] 20211012 [VOTE] 2.6.3 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E (string)

}

4 : { »

name : [kafka-users] 20211012 [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E (string)

}

5 : { »

name : [kafka-dev] 20211012 [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E (string)

}

6 : { »

name : [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E (string)

}

7 : { »

name : [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E (string)

}

8 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.oracle.com/security-alerts/cpujan2022.html (string)

}

9 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.oracle.com/security-alerts/cpuapr2022.html (string)

}

10 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.oracle.com/security-alerts/cpujul2022.html (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : f0158376-9dc2-43b6-827c-5f631a4d8d09 (string)

assignerShortName : apache (string)

cveId : CVE-2021-38153 (string)

datePublished : 2021-09-22T09:05:11 (string)

dateReserved : 2021-08-06T00:00:00 (string)

dateUpdated : 2024-08-04T01:37:15.929Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "matchCriteriaId": "37D255E1-95C1-4A9B-B934-E2F0DB117CF2", "versionEndExcluding": "2.6.3", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2F46DB5-7FE5-4496-AC7F-CA471BBE3866", "versionEndExcluding": "2.7.2", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*", "matchCriteriaId": "AF660B80-E5F4-4253-95F6-91AABDDC8944", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "6677F86F-5933-460E-B978-23A4C1407CB0", "versionEndExcluding": "2.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B", "versionEndExcluding": "12.0.0.4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF", "versionEndIncluding": "8.0.9.0", "versionStartIncluding": "8.0.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5DCBA98-B60C-4D51-960D-2C0833762CC7", "versionEndIncluding": "8.1.20", "versionStartIncluding": "8.1.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596", "versionEndIncluding": "8.0.8.0", "versionStartIncluding": "8.0.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "D4BDDBCD-4038-4BEC-91DB-587C2FBC6369", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}, {"lang": "es", "value": "Algunos componentes de Apache Kafka usan \"Arrays.equals\" para comprender una contrase\u00f1a o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan m\u00e1s probabilidades de \u00e9xito. Los usuarios deben actualizar a la versi\u00f3n 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. Las versiones afectadas son Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1 y 2.8.0"}], "id": "CVE-2021-38153", "lastModified": "2024-11-21T06:16:30.110", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-22T09:15:07.847", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://kafka.apache.org/cve-list"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://kafka.apache.org/cve-list"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 37D255E1-95C1-4A9B-B934-E2F0DB117CF2 (string)

versionEndExcluding : 2.6.3 (string)

versionStartIncluding : 2.0.0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:* (string)

matchCriteriaId : E2F46DB5-7FE5-4496-AC7F-CA471BBE3866 (string)

versionEndExcluding : 2.7.2 (string)

versionStartIncluding : 2.7.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:* (string)

matchCriteriaId : AF660B80-E5F4-4253-95F6-91AABDDC8944 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

1 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 6677F86F-5933-460E-B978-23A4C1407CB0 (string)

versionEndExcluding : 2.2.4 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

2 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 6894D860-000E-439D-8AB7-07E9B2ACC31B (string)

versionEndExcluding : 12.0.0.4.6 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:* (string)

matchCriteriaId : FD66C717-85E0-40E7-A51F-549C8196D557 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* (string)

matchCriteriaId : B4367D9B-BF81-47AD-A840-AC46317C774D (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF (string)

versionEndIncluding : 8.0.9.0 (string)

versionStartIncluding : 8.0.6.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (string)

matchCriteriaId : A5DCBA98-B60C-4D51-960D-2C0833762CC7 (string)

versionEndIncluding : 8.1.20 (string)

versionStartIncluding : 8.1.0.0.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 147A4225-A2D5-4AA1-96D1-6D95A192B596 (string)

versionEndIncluding : 8.0.8.0 (string)

versionStartIncluding : 8.0.6.0.0 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:* (string)

matchCriteriaId : A4B3A10E-70A8-4332-8567-06AE2C45D3C6 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 059F0D4E-B007-4986-AB95-89F11147CB2B (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 6CAC78AD-86BB-4F06-B8CF-8E1329987F2F (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:* (string)

matchCriteriaId : C64D669C-513E-4C53-8BB8-13EB336CDC3A (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:* (string)

matchCriteriaId : D4BDDBCD-4038-4BEC-91DB-587C2FBC6369 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:* (string)

matchCriteriaId : F6394E90-2F2C-4955-9F97-BFED76D4333B (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 44563108-AD89-49A0-9FA5-7DE5A5601D2C (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:* (string)

matchCriteriaId : FCA5DC3F-E7D8-45E3-8114-2213EC631CDF (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* (string)

matchCriteriaId : 202AD518-2E9B-4062-B063-9858AE1F9CE2 (string)

vulnerable : true (boolean)

}

16 : { »

criteria : cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* (string)

matchCriteriaId : 10864586-270E-4ACF-BDCC-ECFCD299305F (string)

vulnerable : true (boolean)

}

17 : { »

criteria : cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* (string)

matchCriteriaId : 38340E3C-C452-4370-86D4-355B6B4E0A06 (string)

vulnerable : true (boolean)

}

18 : { »

criteria : cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:* (string)

matchCriteriaId : E9C55C69-E22E-4B80-9371-5CD821D79FE2 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. (string)

}

1 : { »

lang : es (string)

value : Algunos componentes de Apache Kafka usan "Arrays.equals" para comprender una contraseña o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan más probabilidades de éxito. Los usuarios deben actualizar a la versión 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. Las versiones afectadas son Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1 y 2.8.0 (string)

}

]

id : CVE-2021-38153 (string)

lastModified : 2024-11-21T06:16:30.110 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:M/Au:N/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.9 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.2 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-09-22T09:15:07.847 (string)

references : [ »

0 : { »

source : security@apache.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://kafka.apache.org/cve-list (string)

}

1 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E (string)

}

2 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E (string)

}

3 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E (string)

}

4 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E (string)

}

5 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E (string)

}

6 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E (string)

}

7 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E (string)

}

8 : { »

source : security@apache.org (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://www.oracle.com/security-alerts/cpuapr2022.html (string)

}

9 : { »

source : security@apache.org (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://www.oracle.com/security-alerts/cpujan2022.html (string)

}

10 : { »

source : security@apache.org (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://www.oracle.com/security-alerts/cpujul2022.html (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://kafka.apache.org/cve-list (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E (string)

}

16 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E (string)

}

17 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E (string)

}

18 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E (string)

}

19 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://www.oracle.com/security-alerts/cpuapr2022.html (string)

}

20 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://www.oracle.com/security-alerts/cpujan2022.html (string)

}

21 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://www.oracle.com/security-alerts/cpujul2022.html (string)

}

]

sourceIdentifier : security@apache.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-203 (string)

}

]

source : security@apache.org (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-203 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"affected_release": [{"advisory": "RHSA-2022:0219", "cpe": "cpe:/a:redhat:amq_streams:1", "package": "kafka", "product_name": "Red Hat AMQ Streams 1.6.6", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0219", "cpe": "cpe:/a:redhat:amq_streams:1", "package": "kafka-clients", "product_name": "Red Hat AMQ Streams 1.6.6", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0138", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "kafka", "product_name": "Red Hat AMQ Streams 2.0.0", "release_date": "2022-01-13T00:00:00Z"}, {"advisory": "RHSA-2022:0589", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "kafka-clients", "product_name": "Red Hat build of Quarkus 2.2.5", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2022:2232", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "kafka-clients", "product_name": "Red Hat Data Grid 8.3.1", "release_date": "2022-05-12T00:00:00Z"}, {"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "kafka-clients", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2022:6407", "cpe": "cpe:/a:redhat:integration:1", "package": "kafka-clients", "product_name": "RHAF Camel-K 1.8", "release_date": "2022-09-09T00:00:00Z"}, {"advisory": "RHSA-2022:5606", "cpe": "cpe:/a:redhat:camel_quarkus:2.7", "package": "kafka-clients", "product_name": "RHINT Camel-Q 2.7", "release_date": "2022-07-19T00:00:00Z"}, {"advisory": "RHSA-2022:0501", "cpe": "cpe:/a:redhat:service_registry:2.0.3", "package": "kafka-clients", "product_name": "RHINT Service Registry 2.0.3 GA", "release_date": "2022-02-09T00:00:00Z"}, {"advisory": "RHSA-2022:0737", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "kafka", "product_name": "Vert.x 4.2.5", "release_date": "2022-03-31T00:00:00Z"}, {"advisory": "RHSA-2022:0737", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "kafka-clients", "product_name": "Vert.x 4.2.5", "release_date": "2022-03-31T00:00:00Z"}], "bugzilla": {"description": "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients", "id": "2009041", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009041"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-367", "details": ["Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."], "name": "CVE-2021-38153", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Will not fix", "package_name": "kafka-clients", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Out of support scope", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-09-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-38153\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38153"], "threat_severity": "Moderate"}

{

affected_release : [ »

0 : { »

advisory : RHSA-2022:0219 (string)

cpe : cpe:/a:redhat:amq_streams:1 (string)

package : kafka (string)

product_name : Red Hat AMQ Streams 1.6.6 (string)

release_date : 2022-01-20T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2022:0219 (string)

cpe : cpe:/a:redhat:amq_streams:1 (string)

package : kafka-clients (string)

product_name : Red Hat AMQ Streams 1.6.6 (string)

release_date : 2022-01-20T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2022:0138 (string)

cpe : cpe:/a:redhat:amq_streams:2 (string)

package : kafka (string)

product_name : Red Hat AMQ Streams 2.0.0 (string)

release_date : 2022-01-13T00:00:00Z (string)

}

3 : { »

advisory : RHSA-2022:0589 (string)

cpe : cpe:/a:redhat:openshift_application_runtimes:1.0 (string)

package : kafka-clients (string)

product_name : Red Hat build of Quarkus 2.2.5 (string)

release_date : 2022-02-21T00:00:00Z (string)

}

4 : { »

advisory : RHSA-2022:2232 (string)

cpe : cpe:/a:redhat:jboss_data_grid:8 (string)

package : kafka-clients (string)

product_name : Red Hat Data Grid 8.3.1 (string)

release_date : 2022-05-12T00:00:00Z (string)

}

5 : { »

advisory : RHSA-2022:5532 (string)

cpe : cpe:/a:redhat:jboss_fuse:7 (string)

package : kafka-clients (string)

product_name : Red Hat Fuse 7.11 (string)

release_date : 2022-07-07T00:00:00Z (string)

}

6 : { »

advisory : RHSA-2022:6407 (string)

cpe : cpe:/a:redhat:integration:1 (string)

package : kafka-clients (string)

product_name : RHAF Camel-K 1.8 (string)

release_date : 2022-09-09T00:00:00Z (string)

}

7 : { »

advisory : RHSA-2022:5606 (string)

cpe : cpe:/a:redhat:camel_quarkus:2.7 (string)

package : kafka-clients (string)

product_name : RHINT Camel-Q 2.7 (string)

release_date : 2022-07-19T00:00:00Z (string)

}

8 : { »

advisory : RHSA-2022:0501 (string)

cpe : cpe:/a:redhat:service_registry:2.0.3 (string)

package : kafka-clients (string)

product_name : RHINT Service Registry 2.0.3 GA (string)

release_date : 2022-02-09T00:00:00Z (string)

}

9 : { »

advisory : RHSA-2022:0737 (string)

cpe : cpe:/a:redhat:openshift_application_runtimes:1.0 (string)

package : kafka (string)

product_name : Vert.x 4.2.5 (string)

release_date : 2022-03-31T00:00:00Z (string)

}

10 : { »

advisory : RHSA-2022:0737 (string)

cpe : cpe:/a:redhat:openshift_application_runtimes:1.0 (string)

package : kafka-clients (string)

product_name : Vert.x 4.2.5 (string)

release_date : 2022-03-31T00:00:00Z (string)

}

]

bugzilla : { »

description : Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (string)

id : 2009041 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2009041 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 5.9 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

status : verified (string)

}

cwe : CWE-367 (string)

details : [ »

0 : Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. (string)

]

name : CVE-2021-38153 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:logging:5 (string)

fix_state : Not affected (string)

package_name : openshift-logging/elasticsearch6-rhel8 (string)

product_name : Logging Subsystem for Red Hat OpenShift (string)

}

1 : { »

cpe : cpe:/a:redhat:openshift_application_runtimes:1.0 (string)

fix_state : Affected (string)

package_name : kafka-clients (string)

product_name : Red Hat build of Quarkus (string)

}

2 : { »

cpe : cpe:/a:redhat:jboss_developer_studio:12. (string)

fix_state : Will not fix (string)

package_name : kafka-clients (string)

product_name : Red Hat CodeReady Studio 12 (string)

}

3 : { »

cpe : cpe:/a:redhat:jboss_enterprise_brms_platform:7 (string)

fix_state : Affected (string)

package_name : kafka-clients (string)

product_name : Red Hat Decision Manager 7 (string)

}

4 : { »

cpe : cpe:/a:redhat:integration:1 (string)

fix_state : Affected (string)

package_name : kafka-clients (string)

product_name : Red Hat Integration Service Registry (string)

}

5 : { »

cpe : cpe:/a:redhat:jbosseapxp (string)

fix_state : Out of support scope (string)

package_name : kafka-clients (string)

product_name : Red Hat JBoss Enterprise Application Platform Expansion Pack (string)

}

6 : { »

cpe : cpe:/a:redhat:jboss_fuse:6 (string)

fix_state : Out of support scope (string)

package_name : kafka-clients (string)

product_name : Red Hat JBoss Fuse 6 (string)

}

7 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift4/ose-logging-elasticsearch6 (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

8 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift4/ose-metering-hadoop (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

9 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift4/ose-metering-hive (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

10 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift4/ose-metering-presto (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

11 : { »

cpe : cpe:/a:redhat:jboss_enterprise_bpms_platform:7 (string)

fix_state : Affected (string)

package_name : kafka-clients (string)

product_name : Red Hat Process Automation 7 (string)

}

]

public_date : 2021-09-21T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2021-38153 https://nvd.nist.gov/vuln/detail/CVE-2021-38153 (string)

]

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object