=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN500
_____________________________________________________________________

DATE                : 22/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Kafka versions 2 prior to
                                      2.8.1, 3.0.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3ce96f5938-8e95-52cf-86e7-ef043c575799@apache.org%3e
_____________________________________________________________________

CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and
Clients


Severity: moderate

Description:

Some components in Apache Kafka use `Arrays.equals` to validate a
password or key, which is vulnerable to timing attacks that make brute
force attacks for such credentials more likely to be successful. Users
should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this
vulnerability has been fixed. The affected versions include Apache Kafka
2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.


Credit:

Apache Kafka would like to thank J. Santilli for reporting this issue.


References:

https://kafka.apache.org/cve-list

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================