QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2021-38153

Back to search

CVE-2021-38153

Published: Sep 22, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

VendorProductVersions

Apache Software Foundation

Apache Kafka

affected
Apache Kafka 2.0.x - <= 2.0.1
affected
Apache Kafka 2.1.x - <= 2.1.1
affected
Apache Kafka 2.2.x - <= 2.2.2
affected
Apache Kafka 2.3.x - <= 2.3.1
affected
Apache Kafka 2.4.x - <= 2.4.1

+4 more versions

Weaknesses (CWE)

CWE-203

References

[kafka-dev] 20211007 Re: CVE Back Port?
mailing-list
x_refsource_MLIST
[kafka-dev] 20211012 [VOTE] 2.6.3 RC0
mailing-list
x_refsource_MLIST
[kafka-users] 20211012 [VOTE] 2.6.3 RC0
mailing-list
x_refsource_MLIST
[kafka-users] 20211012 [VOTE] 2.7.2 RC0
mailing-list
x_refsource_MLIST
[kafka-dev] 20211012 [VOTE] 2.7.2 RC0
mailing-list
x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now