CVE-2021-38153
published 2021-09-22CVE-2021-38153: Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such…
medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | kafka | — | — |
| apache | kafka | >= 2.0.0 < 2.6.3 | 2.6.3 |
| apache | kafka | >= 2.7.0 < 2.7.2 | 2.7.2 |
| apache_software_foundation | apache_kafka | Apache Kafka 2.0.x – 2.0.1 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.1.x – 2.1.1 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.2.x – 2.2.2 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.3.x – 2.3.1 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.4.x – 2.4.1 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.5.x – 2.5.1 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.6.x – 2.6.2 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.7.x – 2.7.1 | — |
| apache_software_foundation | apache_kafka | Apache Kafka 2.8.x – 2.8.0 | — |
| oracle | communications_brm_elastic_charging_engine | < 12.0.0.4.6 | 12.0.0.4.6 |
| oracle | communications_brm_elastic_charging_engine | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6.0 – 8.0.9.0 | — |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.0.0.0 – 8.1.20 | — |
| oracle | financial_services_behavior_detection_platform | — | — |
| oracle | financial_services_behavior_detection_platform | — | — |
| oracle | financial_services_behavior_detection_platform | — | — |
| oracle | financial_services_behavior_detection_platform | 8.0.6.0.0 – 8.0.8.0 | — |
| oracle | financial_services_enterprise_case_management | — | — |
| oracle | financial_services_enterprise_case_management | — | — |
| oracle | financial_services_enterprise_case_management | — | — |
| oracle | financial_services_enterprise_case_management | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM
vulncheck5.9MEDIUM