CVE-2021-38153

CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients

Vendor Apache Software Foundation
Product Apache Kafka
Weakness CWE-203
Published September 22, 2021
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

Description

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Key dates

Disclosure timeline

September 22, 2021 CVE published
August 4, 2024 Record updated