CVE-2021-38153 — Observable Discrepancy in Apache Kafka

CWE-203 — Observable Discrepancy CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition10 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

1.2%

top 21.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

9

Apache Kafka Oracle Communications BRM Elastic Charging Engine Quarkus +6 more

Timeline

PublishedSep 22

Latest updateJul 15

Description

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages9 packages

▶NVDapache/kafka2.0.0 — 2.6.3+2

▶CVEListV5apache_software_foundation/apache_kafkaApache Kafka 2.0.x — 2.0.1+8

▶NVDquarkus/quarkus< 2.2.4

▶NVDoracle/communications_brm_elastic_charging_engine< 12.0.0.4.6+1

▶NVDoracle/financial_services_behavior_detection_platform8.0.6.0.0 — 8.0.8.0+3

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

5

OSV

Observable Discrepancy in Apache Kafka↗2021-09-23

▶

GHSA

Observable Discrepancy in Apache Kafka↗2021-09-23

▶

CVEList

Timing Attack Vulnerability for Apache Kafka Connect and Clients↗2021-09-22

▶

OSV

CVE-2021-38153: Some components in Apache Kafka use `Arrays↗2021-09-22

▶

VulnCheck

Apache kafka Observable Discrepancy↗2021

▶

📋Vendor Advisories

4

Oracle

Oracle Oracle Communications Applications Risk Matrix: Notifications (Apache Kafka) — CVE-2021-38153↗2022-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Policy (Apache Kafka) — CVE-2021-38153↗2022-04-15

▶

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Event Streams and Communications (Apache Kafka) — CVE-2021-38153↗2022-01-15

▶

Red Hat

Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients↗2021-09-21

▶

External resources

Affected products9

Apache Kafka≥ 2.0.0, < 2.6.3≥ 2.7.0, < 2.7.2v2.8.0

Apache Software Foundation Apache Kafka≥ Apache Kafka 2.0.x, ≤ 2.0.1≥ Apache Kafka 2.1.x, ≤ 2.1.1≥ Apache Kafka 2.2.x, ≤ 2.2.2+6 more

Oracle Communications BRM Elastic Charging Enginefixed in 12.0.0.4.6v12.0.0.5.0

Oracle Communications Cloud Native Core Policyv1.15.0

Oracle Financial Services Analytical Applications Infrastructure≥ 8.0.6.0, ≤ 8.0.9.0≥ 8.1.0.0.0, ≤ 8.1.20

Oracle Financial Services Behavior Detection Platform≥ 8.0.6.0.0, ≤ 8.0.8.0v8.1.1.0v8.1.1.1+1 more

Oracle Financial Services Enterprise Case Managementv8.0.7.1v8.0.7.2v8.0.8.0+3 more

Oracle Primavera Unifierv18.8v19.12v20.12+1 more

Quarkusfixed in 2.2.4

Disclosure

PublishedSep 22, 2021

Latest updateJul 15, 2022

CVE-2021-38153 — Observable Discrepancy in Apache Kafka | cvebase