{"containers": {"cna": {"affected": [{"product": "Apache Kafka", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.0.1", "status": "affected", "version": "Apache Kafka 2.0.x", "versionType": "custom"}, {"lessThanOrEqual": "2.1.1", "status": "affected", "version": "Apache Kafka 2.1.x", "versionType": "custom"}, {"lessThanOrEqual": "2.2.2", "status": "affected", "version": "Apache Kafka 2.2.x", "versionType": "custom"}, {"lessThanOrEqual": "2.3.1", "status": "affected", "version": "Apache Kafka 2.3.x", "versionType": "custom"}, {"lessThanOrEqual": "2.4.1", "status": "affected", "version": "Apache Kafka 2.4.x", "versionType": "custom"}, {"lessThanOrEqual": "2.5.1", "status": "affected", "version": "Apache Kafka 2.5.x", "versionType": "custom"}, {"lessThanOrEqual": "2.6.2", "status": "affected", "version": "Apache Kafka 2.6.x", "versionType": "custom"}, {"lessThanOrEqual": "2.7.1", "status": "affected", "version": "Apache Kafka 2.7.x", "versionType": "custom"}, {"lessThanOrEqual": "2.8.0", "status": "affected", "version": "Apache Kafka 2.8.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Kafka would like to thank J. Santilli for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:31:36", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://kafka.apache.org/cve-list"}, {"name": "[kafka-dev] 20211007 Re: CVE Back Port?", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Timing Attack Vulnerability for Apache Kafka Connect and Clients", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-38153", "STATE": "PUBLIC", "TITLE": "Timing Attack Vulnerability for Apache Kafka Connect and Clients"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Kafka", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache Kafka 2.0.x", "version_value": "2.0.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.1.x", "version_value": "2.1.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.2.x", "version_value": "2.2.2"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.3.x", "version_value": "2.3.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.4.x", "version_value": "2.4.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.5.x", "version_value": "2.5.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.6.x", "version_value": "2.6.2"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.7.x", "version_value": "2.7.1"}, {"version_affected": "<=", "version_name": "Apache Kafka 2.8.x", "version_value": "2.8.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Kafka would like to thank J. Santilli for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-203 Observable Discrepancy"}]}]}, "references": {"reference_data": [{"name": "https://kafka.apache.org/cve-list", "refsource": "MISC", "url": "https://kafka.apache.org/cve-list"}, {"name": "[kafka-dev] 20211007 Re: CVE Back Port?", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:15.929Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kafka.apache.org/cve-list"}, {"name": "[kafka-dev] 20211007 Re: CVE Back Port?", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-38153", "datePublished": "2021-09-22T09:05:11", "dateReserved": "2021-08-06T00:00:00", "dateUpdated": "2024-08-04T01:37:15.929Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "matchCriteriaId": "37D255E1-95C1-4A9B-B934-E2F0DB117CF2", "versionEndExcluding": "2.6.3", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2F46DB5-7FE5-4496-AC7F-CA471BBE3866", "versionEndExcluding": "2.7.2", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*", "matchCriteriaId": "AF660B80-E5F4-4253-95F6-91AABDDC8944", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "6677F86F-5933-460E-B978-23A4C1407CB0", "versionEndExcluding": "2.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B", "versionEndExcluding": "12.0.0.4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF", "versionEndIncluding": "8.0.9.0", "versionStartIncluding": "8.0.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5DCBA98-B60C-4D51-960D-2C0833762CC7", "versionEndIncluding": "8.1.20", "versionStartIncluding": "8.1.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596", "versionEndIncluding": "8.0.8.0", "versionStartIncluding": "8.0.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "D4BDDBCD-4038-4BEC-91DB-587C2FBC6369", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}, {"lang": "es", "value": "Algunos componentes de Apache Kafka usan \"Arrays.equals\" para comprender una contrase\u00f1a o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan m\u00e1s probabilidades de \u00e9xito. Los usuarios deben actualizar a la versi\u00f3n 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. Las versiones afectadas son Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1 y 2.8.0"}], "id": "CVE-2021-38153", "lastModified": "2023-11-07T03:37:22.183", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-22T09:15:07.847", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://kafka.apache.org/cve-list"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0219", "cpe": "cpe:/a:redhat:amq_streams:1", "package": "kafka", "product_name": "Red Hat AMQ Streams 1.6.6", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0219", "cpe": "cpe:/a:redhat:amq_streams:1", "package": "kafka-clients", "product_name": "Red Hat AMQ Streams 1.6.6", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0138", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "kafka", "product_name": "Red Hat AMQ Streams 2.0.0", "release_date": "2022-01-13T00:00:00Z"}, {"advisory": "RHSA-2022:0589", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "kafka-clients", "product_name": "Red Hat build of Quarkus 2.2.5", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2022:2232", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "kafka-clients", "product_name": "Red Hat Data Grid 8.3.1", "release_date": "2022-05-12T00:00:00Z"}, {"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "kafka-clients", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2022:6407", "cpe": "cpe:/a:redhat:integration:1", "package": "kafka-clients", "product_name": "RHAF Camel-K 1.8", "release_date": "2022-09-09T00:00:00Z"}, {"advisory": "RHSA-2022:5606", "cpe": "cpe:/a:redhat:camel_quarkus:2.7", "package": "kafka-clients", "product_name": "RHINT Camel-Q 2.7", "release_date": "2022-07-19T00:00:00Z"}, {"advisory": "RHSA-2022:0501", "cpe": "cpe:/a:redhat:service_registry:2.0.3", "package": "kafka-clients", "product_name": "RHINT Service Registry 2.0.3 GA", "release_date": "2022-02-09T00:00:00Z"}, {"advisory": "RHSA-2022:0737", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "kafka", "product_name": "Vert.x 4.2.5", "release_date": "2022-03-31T00:00:00Z"}, {"advisory": "RHSA-2022:0737", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "kafka-clients", "product_name": "Vert.x 4.2.5", "release_date": "2022-03-31T00:00:00Z"}], "bugzilla": {"description": "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients", "id": "2009041", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009041"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-367", "details": ["Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."], "name": "CVE-2021-38153", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Will not fix", "package_name": "kafka-clients", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Out of support scope", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "hadoop-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-09-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-38153\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38153"], "threat_severity": "Moderate", "upstream_fix": "kafka-2.8.1 kafka-clients-2.8.1"}