CVE-2022-34917: Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers
First published: Tue Sep 20 2022(Updated: )
Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to allocate large amounts of memory on brokers, and results in a denial of service condition.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Kafka | >=2.8.0<2.8.2 | |
| Apache Kafka | >=3.0.0<3.0.2 | |
| Apache Kafka | >=3.1.0<3.1.2 | |
| Apache Kafka | >=3.2.0<3.2.3 | |
| IBM Security Guardium | <=11.3 | |
| IBM Security Guardium | <=11.4 | |
| IBM Security Guardium | <=11.5 | |
| redhat/kafka | <2.8.2 | 2.8.2 |
| redhat/kafka | <3.0.2 | 3.0.2 |
| redhat/kafka | <3.1.2 | 3.1.2 |
| redhat/kafka | <3.2.3 | 3.2.3 |
| maven/org.apache.kafka:kafka | >=3.2.0<3.2.3 | 3.2.3 |
| maven/org.apache.kafka:kafka | >=3.1.0<3.1.2 | 3.1.2 |
| maven/org.apache.kafka:kafka | >=3.0.0<3.0.2 | 3.0.2 |
| maven/org.apache.kafka:kafka | >=2.8.0<2.8.2 | 2.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kafka.apache.org/cve-list
- https://exchange.xforce.ibmcloud.com/vulnerabilities/236498
- https://www.ibm.com/support/pages/node/6848317 (Advisory)
- https://access.redhat.com/errata/RHSA-2022:6819
- https://bugzilla.redhat.com/show_bug.cgi?id=2130018
- https://nvd.nist.gov/vuln/detail/CVE-2022-34917
- https://github.com/apache/kafka/commit/14951a83e3fdead212156e5532359500d72f68bc
- https://github.com/apache/kafka/commit/2bfa24b2bd416e7b8c4a0c566b984c43904fdecb
- https://github.com/apache/kafka/commit/aaceb6b79bfcb1d32874ccdbc8f3138d1c1c00fb
- https://github.com/apache/kafka/commit/c1295662768e64b4467e27c3d5158f95f2307657
- https://issues.apache.org/jira/browse/KAFKA-14063
- https://kafka.apache.org/cve-list#CVE-2022-34917
- https://github.com/advisories/GHSA-c9h3-c6qj-hh7q (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this Apache Kafka vulnerability?
The vulnerability ID of this Apache Kafka vulnerability is CVE-2022-34917.
What is the severity level of CVE-2022-34917?
CVE-2022-34917 has a severity level of high.
What is the impact of CVE-2022-34917?
CVE-2022-34917 can be exploited by a remote attacker to allocate large amounts of memory on brokers, leading to a denial of service condition.
Which versions of Apache Kafka are affected by this vulnerability?
Apache Kafka versions up to and exclusive of 2.8.2, 3.0.2, 3.1.2, and 3.2.3 are affected by this vulnerability.
How can I fix CVE-2022-34917?
To fix CVE-2022-34917, it is recommended to update Apache Kafka to version 2.8.2 or higher.
- collector/nvd-index
- agent/type
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-34917
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c9h3-c6qj-hh7q
- collector/nvd-cve
- source/NVD
- agent/author
- agent/references
- agent/weakness
- agent/severity
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/apache
- canonical/apache kafka
- version/apache kafka/2.8.0
- version/apache kafka/3.0.0
- version/apache kafka/3.1.0
- version/apache kafka/3.2.0
- package-manager/redhat
- package-manager/maven
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/11.3
- version/ibm security guardium/11.4
- version/ibm security guardium/11.5