{ "threat_severity" : "Moderate", "public_date" : "2021-09-21T00:00:00Z", "bugzilla" : { "description" : "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients", "id" : "2009041", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2009041" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-367", "details" : [ "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0." ], "affected_release" : [ { "product_name" : "Red Hat AMQ Streams 1.6.6", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0219", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "Red Hat AMQ Streams 2.0.0", "release_date" : "2022-01-13T00:00:00Z", "advisory" : "RHSA-2022:0138", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "kafka" }, { "product_name" : "Red Hat build of Quarkus 2.2.5", "release_date" : "2022-02-21T00:00:00Z", "advisory" : "RHSA-2022:0589", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "kafka-clients" }, { "product_name" : "Red Hat Data Grid 8.3.1", "release_date" : "2022-05-12T00:00:00Z", "advisory" : "RHSA-2022:2232", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "kafka-clients" }, { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "kafka-clients" }, { "product_name" : "RHAF Camel-K 1.8", "release_date" : "2022-09-09T00:00:00Z", "advisory" : "RHSA-2022:6407", "cpe" : "cpe:/a:redhat:integration:1", "package" : "kafka-clients" }, { "product_name" : "RHINT Camel-Q 2.7", "release_date" : "2022-07-19T00:00:00Z", "advisory" : "RHSA-2022:5606", "cpe" : "cpe:/a:redhat:camel_quarkus:2.7" }, { "product_name" : "RHINT Service Registry 2.0.3 GA", "release_date" : "2022-02-09T00:00:00Z", "advisory" : "RHSA-2022:0501", "cpe" : "cpe:/a:redhat:service_registry:2.0.3", "package" : "kafka-clients" }, { "product_name" : "Vert.x 4.2.5", "release_date" : "2022-03-31T00:00:00Z", "advisory" : "RHSA-2022:0737", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "kafka" }, { "product_name" : "Vert.x 4.2.5", "release_date" : "2022-03-31T00:00:00Z", "advisory" : "RHSA-2022:0737", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "kafka-clients" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Affected", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Affected", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Out of support scope", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-logging-elasticsearch6", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "kafka-clients", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-38153\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38153" ], "name" : "CVE-2021-38153", "csaw" : false }