Bug 1190852 (CVE-2021-38153)

Summary: VUL-1: CVE-2021-38153: kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Product: [openSUSE] openSUSE Distribution Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: SecurityAssignee: MichaƂ Rostecki <mrostecki>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low    
Version: Leap 15.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/310623/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2021-09-24 12:23:25 UTC
Some components in Apache Kafka use `Arrays.equals` to validate a password or
key, which is vulnerable to timing attacks that make brute force attacks for
such credentials more likely to be successful. Users should upgrade to 2.8.1 or
higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected
versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2,
2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and
2.8.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38153
http://seclists.org/oss-sec/2021/q3/184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153
http://www.cvedetails.com/cve/CVE-2021-38153/
https://kafka.apache.org/cve-list
Comment 1 Gabriele Sonnu 2021-09-24 12:26:28 UTC
Affected packages:

 - openSUSE:Backports:SLE-15-SP2/kafka                  2.1.0
 - openSUSE:Backports:SLE-15-SP3/kafka                  2.1.0
 - openSUSE:Backports:SLE-15-SP4/kafka                  2.1.0
 - openSUSE:Factory/kafka                               2.1.0

Please update kafka to a non vulnerable version (>= 2.8.1).