CVE-2018-1288
First published: Thu Jul 26 2018(Updated: )
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kafka | <0.10.2.2 | 0.10.2.2 |
| redhat/kafka | <0.11.0.3 | 0.11.0.3 |
| redhat/kafka | <1.0.1 | 1.0.1 |
| redhat/kafka | <1.1.0 | 1.1.0 |
| Apache Kafka | >0.9.0.0<=0.9.0.1 | |
| Apache Kafka | >=0.10.0.0<=0.10.2.1 | |
| Apache Kafka | >=0.11.0.0<=0.11.0.2 | |
| Apache Kafka | =1.0.0 | |
| Redhat Jboss Middleware Text-only Advisories Middleware | =1.0 | |
| Oracle Database | =11.2.0.4 | |
| Oracle Database | =12.1.0.2 | |
| Oracle Database | =12.2.0.1 | |
| Oracle Database | =18c | |
| Oracle Database | =19c | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0.0<=19.12.6.0 | |
| Oracle TimesTen In-Memory Database | <18.1.2.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E
- https://github.com/apache/kafka/commit/d2932ad370c5b56edac9d99e6d75f199537a569f
- https://github.com/apache/kafka/commit/580f743c3ce633241d6076ce83fb778cea86a1f6
- https://github.com/apache/kafka/commit/51f0f3ee792cf9352ce61afeca098c765cdad664
- https://access.redhat.com/errata/RHSA-2018:3768
- https://bugzilla.redhat.com/show_bug.cgi?id=1611059
- http://www.securityfocus.com/bid/104900
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58@%3Ccommits.kafka.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r07e1bbd1643847d599feb34c707906a4fdcc81e3a6ab01a10c451d40@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58%40%3Ccommits.kafka.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r07e1bbd1643847d599feb34c707906a4fdcc81e3a6ab01a10c451d40%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E
Frequently Asked Questions
What is CVE-2018-1288?
CVE-2018-1288 is a vulnerability in Apache Kafka where authenticated users may perform actions reserved for the Broker resulting in data loss.
What is the severity of CVE-2018-1288?
CVE-2018-1288 has a severity level of 5.4 (Medium).
What software versions are affected by CVE-2018-1288?
CVE-2018-1288 affects Apache Kafka versions 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0.
How can I fix CVE-2018-1288?
To fix CVE-2018-1288, upgrade to Apache Kafka versions 0.10.2.2, 0.11.0.3, 1.0.1, or 1.1.0.
Where can I find more information about CVE-2018-1288?
You can find more information about CVE-2018-1288 in the references provided: [Reference 1](https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E), [Reference 2](https://github.com/apache/kafka/commit/d2932ad370c5b56edac9d99e6d75f199537a569f), [Reference 3](https://github.com/apache/kafka/commit/580f743c3ce633241d6076ce83fb778cea86a1f6).
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1288
- agent/software-canonical-lookup
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/apache
- canonical/apache kafka
- version/apache kafka/0.9.0.1
- version/apache kafka/0.10.0.0
- version/apache kafka/0.10.2.1
- version/apache kafka/0.11.0.0
- version/apache kafka/0.11.0.2
- version/apache kafka/1.0.0
- vendor/redhat
- canonical/redhat jboss middleware text-only advisories middleware
- version/redhat jboss middleware text-only advisories middleware/1.0
- vendor/oracle
- canonical/oracle database
- version/oracle database/11.2.0.4
- version/oracle database/12.1.0.2
- version/oracle database/12.2.0.1
- version/oracle database/18c
- version/oracle database/19c
- canonical/oracle primavera p6 enterprise project portfolio management
- version/oracle primavera p6 enterprise project portfolio management/19.12.0.0
- version/oracle primavera p6 enterprise project portfolio management/19.12.6.0
- canonical/oracle timesten in-memory database