====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN223

_____________________________________________________________________

DATE                : 18/07/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache Kafka versions prior to
                                          2.1.1.

=====================================================================
https://groups.google.com/forum/#!topic/kafka-clients/L3yhbWwKRqQ
_____________________________________________________________________

CVE-2018-17196: Potential to bypass transaction/idempotent ACL checks in
Apache Kafka

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache Kafka 0.11.0.0 - 2.1.0

Description: It is possible to manually craft a Produce request which
bypasses transaction/idempotent ACL validation. Only authenticated
clients with Write permission on the respective topics are able to
exploit this vulnerability.

Mitigation: Apache Kafka users should upgrade to 2.1.1 or later where
this vulnerability has been fixed.


Acknowledgements: This issue was reported by Jason Gustafson


Regards,
Jason

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================