CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients
First published: Tue Sep 21 2021(Updated: )
Apache Kafka could allow a remote attacker to obtain sensitive information, caused by a timing attack flaw due to the use of "Arrays.equals" to validate a password or key. By utilizing brute-force attack techniques, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.kafka:kafka-clients | =2.8.0 | 2.8.1 |
| maven/org.apache.kafka:kafka-clients | >=2.7.0<2.7.2 | 2.7.2 |
| maven/org.apache.kafka:kafka-clients | >=2.0.0<2.6.3 | 2.6.3 |
| maven/org.apache.kafka:kafka_2.13 | =2.8.0 | 2.8.1 |
| maven/org.apache.kafka:kafka_2.13 | >=2.7.0<2.7.2 | 2.7.2 |
| maven/org.apache.kafka:kafka_2.13 | >=2.4.0<2.6.3 | 2.6.3 |
| maven/org.apache.kafka:kafka_2.12 | >=2.0.0<2.6.3 | 2.6.3 |
| maven/org.apache.kafka:kafka_2.11 | >=2.0.0<=2.4.1 | |
| Apache Kafka | >=2.0.0<2.6.3 | |
| Apache Kafka | >=2.7.0<2.7.2 | |
| Apache Kafka | =2.8.0 | |
| Quarkus Quarkus | <2.2.4 | |
| Oracle Communications Brm - Elastic Charging Engine | <12.0.0.4.6 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0.0.5.0 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6.0<=8.0.9.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.1.0.0.0<=8.1.20 | |
| Oracle Financial Services Behavior Detection Platform | >=8.0.6.0.0<=8.0.8.0 | |
| Oracle Financial Services Behavior Detection Platform | =8.1.1.0 | |
| Oracle Financial Services Behavior Detection Platform | =8.1.1.1 | |
| Oracle Financial Services Behavior Detection Platform | =8.1.2.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.7.1 | |
| Oracle Financial Services Enterprise Case Management | =8.0.7.2 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.1 | |
| Oracle Financial Services Enterprise Case Management | =8.1.1.0 | |
| Oracle Financial Services Enterprise Case Management | =8.1.1.1 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Primavera Unifier | =21.12 | |
| redhat/kafka-2.8.1 kafka-clients | <2.8.1 | 2.8.1 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-38153
- https://kafka.apache.org/cve-list
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://support.confluent.io/hc/en-us/articles/4407632156692-CVE-2021-38153-Confluent-Platform-Vulnerability-Timing-attacks
- https://github.com/advisories/GHSA-3j6g-hxx5-3q26 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2021-38153 https://nvd.nist.gov/vuln/detail/CVE-2021-38153
- https://bugzilla.redhat.com/show_bug.cgi?id=2009041
- https://access.redhat.com/errata/RHSA-2022:0219
- https://access.redhat.com/errata/RHSA-2022:2232
- https://access.redhat.com/errata/RHSA-2022:6407
- https://access.redhat.com/errata/RHSA-2022:5606
- https://access.redhat.com/errata/RHSA-2022:0501
- https://access.redhat.com/errata/RHSA-2022:0138
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:0589
- https://access.redhat.com/errata/RHSA-2022:0737
- https://access.redhat.com/security/cve/cve-2021-38153
- https://github.com/apache/kafka/commit/3325342fecba56c2f5b28d60ca37605a7ebf420a
- https://github.com/apache/kafka/commit/d7abd32f3569a65a4b59c7dd8a655b17ffa1b455
- https://github.com/apache/kafka/commit/00c086e9087c3163cb0502bf0067bae4d401d66e
- https://github.com/apache/kafka/commit/be5889d1d110abfd2f580d88b109a9a0c8e7b2d6
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-38153?
The severity of CVE-2021-38153 is medium.
Which components in Apache Kafka are vulnerable to CVE-2021-38153?
Some components in Apache Kafka are vulnerable to CVE-2021-38153.
How can I fix CVE-2021-38153?
To fix CVE-2021-38153, users should upgrade to Apache Kafka 2.8.1 or higher, or 3.0.0 or higher.
Where can I find more information about CVE-2021-38153?
You can find more information about CVE-2021-38153 at the following references: [link1](https://www.cve.org/CVERecord?id=CVE-2021-38153), [link2](https://nvd.nist.gov/vuln/detail/CVE-2021-38153), [link3](https://bugzilla.redhat.com/show_bug.cgi?id=2009041), [link4](https://access.redhat.com/errata/RHSA-2022:0219).
- collector/github-advisory-latest
- alias/GHSA-3j6g-hxx5-3q26
- alias/CVE-2021-38153
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/trending
- package-manager/maven
- vendor/apache
- canonical/apache kafka
- version/apache kafka/2.0.0
- version/apache kafka/2.7.0
- version/apache kafka/2.8.0
- vendor/quarkus
- canonical/quarkus quarkus
- vendor/oracle
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12.0.0.5.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6.0
- version/oracle financial services analytical applications infrastructure/8.0.9.0
- version/oracle financial services analytical applications infrastructure/8.1.0.0.0
- version/oracle financial services analytical applications infrastructure/8.1.20
- canonical/oracle financial services behavior detection platform
- version/oracle financial services behavior detection platform/8.0.6.0.0
- version/oracle financial services behavior detection platform/8.0.8.0
- version/oracle financial services behavior detection platform/8.1.1.0
- version/oracle financial services behavior detection platform/8.1.1.1
- version/oracle financial services behavior detection platform/8.1.2.0
- canonical/oracle financial services enterprise case management
- version/oracle financial services enterprise case management/8.0.7.1
- version/oracle financial services enterprise case management/8.0.7.2
- version/oracle financial services enterprise case management/8.0.8.0
- version/oracle financial services enterprise case management/8.0.8.1
- version/oracle financial services enterprise case management/8.1.1.0
- version/oracle financial services enterprise case management/8.1.1.1
- canonical/oracle primavera unifier
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- version/oracle primavera unifier/21.12
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4