CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients
First published: Tue Sep 21 2021(Updated: )
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.kafka:kafka-clients | =2.8.0 | 2.8.1 |
| maven/org.apache.kafka:kafka-clients | >=2.7.0<2.7.2 | 2.7.2 |
| maven/org.apache.kafka:kafka-clients | >=2.0.0<2.6.3 | 2.6.3 |
| maven/org.apache.kafka:kafka_2.13 | =2.8.0 | 2.8.1 |
| maven/org.apache.kafka:kafka_2.13 | >=2.7.0<2.7.2 | 2.7.2 |
| maven/org.apache.kafka:kafka_2.13 | >=2.4.0<2.6.3 | 2.6.3 |
| maven/org.apache.kafka:kafka_2.12 | >=2.0.0<2.6.3 | 2.6.3 |
| maven/org.apache.kafka:kafka_2.11 | >=2.0.0<=2.4.1 | |
| redhat/kafka-2.8.1 kafka-clients | <2.8.1 | 2.8.1 |
| Apache Kafka | >=2.0.0<2.6.3 | |
| Apache Kafka | >=2.7.0<2.7.2 | |
| Apache Kafka | =2.8.0 | |
| Quarkus Quarkus | <2.2.4 | |
| Oracle Communications Brm - Elastic Charging Engine | <12.0.0.4.6 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0.0.5.0 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6.0<=8.0.9.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.1.0.0.0<=8.1.20 | |
| Oracle Financial Services Behavior Detection Platform | >=8.0.6.0.0<=8.0.8.0 | |
| Oracle Financial Services Behavior Detection Platform | =8.1.1.0 | |
| Oracle Financial Services Behavior Detection Platform | =8.1.1.1 | |
| Oracle Financial Services Behavior Detection Platform | =8.1.2.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.7.1 | |
| Oracle Financial Services Enterprise Case Management | =8.0.7.2 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.1 | |
| Oracle Financial Services Enterprise Case Management | =8.1.1.0 | |
| Oracle Financial Services Enterprise Case Management | =8.1.1.1 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Primavera Unifier | =21.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-38153
- https://kafka.apache.org/cve-list
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://support.confluent.io/hc/en-us/articles/4407632156692-CVE-2021-38153-Confluent-Platform-Vulnerability-Timing-attacks
- https://github.com/advisories/GHSA-3j6g-hxx5-3q26 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2021-38153 https://nvd.nist.gov/vuln/detail/CVE-2021-38153
- https://bugzilla.redhat.com/show_bug.cgi?id=2009041
- https://access.redhat.com/errata/RHSA-2022:0219
- https://access.redhat.com/errata/RHSA-2022:2232
- https://access.redhat.com/errata/RHSA-2022:6407
- https://access.redhat.com/errata/RHSA-2022:5606
- https://access.redhat.com/errata/RHSA-2022:0501
- https://access.redhat.com/errata/RHSA-2022:0138
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:0589
- https://access.redhat.com/errata/RHSA-2022:0737
- https://access.redhat.com/security/cve/cve-2021-38153
- https://github.com/apache/kafka/commit/3325342fecba56c2f5b28d60ca37605a7ebf420a
- https://github.com/apache/kafka/commit/d7abd32f3569a65a4b59c7dd8a655b17ffa1b455
- https://github.com/apache/kafka/commit/00c086e9087c3163cb0502bf0067bae4d401d66e
- https://github.com/apache/kafka/commit/be5889d1d110abfd2f580d88b109a9a0c8e7b2d6
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-38153?
The severity of CVE-2021-38153 is medium.
Which components in Apache Kafka are vulnerable to CVE-2021-38153?
Some components in Apache Kafka are vulnerable to CVE-2021-38153.
How can I fix CVE-2021-38153?
To fix CVE-2021-38153, users should upgrade to Apache Kafka 2.8.1 or higher, or 3.0.0 or higher.
Where can I find more information about CVE-2021-38153?
You can find more information about CVE-2021-38153 at the following references: [link1](https://www.cve.org/CVERecord?id=CVE-2021-38153), [link2](https://nvd.nist.gov/vuln/detail/CVE-2021-38153), [link3](https://bugzilla.redhat.com/show_bug.cgi?id=2009041), [link4](https://access.redhat.com/errata/RHSA-2022:0219).
- collector/github-advisory-latest
- alias/GHSA-3j6g-hxx5-3q26
- alias/CVE-2021-38153
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/references
- agent/tags
- agent/event
- package-manager/maven
- vendor/apache
- canonical/apache kafka
- version/apache kafka/2.0.0
- version/apache kafka/2.7.0
- version/apache kafka/2.8.0
- vendor/quarkus
- canonical/quarkus quarkus
- vendor/oracle
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12.0.0.5.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6.0
- version/oracle financial services analytical applications infrastructure/8.0.9.0
- version/oracle financial services analytical applications infrastructure/8.1.0.0.0
- version/oracle financial services analytical applications infrastructure/8.1.20
- canonical/oracle financial services behavior detection platform
- version/oracle financial services behavior detection platform/8.0.6.0.0
- version/oracle financial services behavior detection platform/8.0.8.0
- version/oracle financial services behavior detection platform/8.1.1.0
- version/oracle financial services behavior detection platform/8.1.1.1
- version/oracle financial services behavior detection platform/8.1.2.0
- canonical/oracle financial services enterprise case management
- version/oracle financial services enterprise case management/8.0.7.1
- version/oracle financial services enterprise case management/8.0.7.2
- version/oracle financial services enterprise case management/8.0.8.0
- version/oracle financial services enterprise case management/8.0.8.1
- version/oracle financial services enterprise case management/8.1.1.0
- version/oracle financial services enterprise case management/8.1.1.1
- canonical/oracle primavera unifier
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- version/oracle primavera unifier/21.12
- package-manager/redhat