Vulnerability Description
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Kafka | >= 2.0.0, < 2.6.3 |
| Quarkus | Quarkus | < 2.2.4 |
| Oracle | Communications Brm - Elastic Charging Engine | < 12.0.0.4.6 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6.0, <= 8.0.9.0 |
| Oracle | Financial Services Behavior Detection Platform | >= 8.0.6.0.0, <= 8.0.8.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.1 |
| Oracle | Primavera Unifier | 18.8 |
Related Weaknesses (CWE)
References
- https://kafka.apache.org/cve-listVendor Advisory
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed856304
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed856304
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://kafka.apache.org/cve-listVendor Advisory
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf
FAQ
What is CVE-2021-38153?
CVE-2021-38153 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful...
How severe is CVE-2021-38153?
CVE-2021-38153 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38153?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Kafka, Quarkus Quarkus, Oracle Communications Brm - Elastic Charging Engine, Oracle Communications Cloud Native Core Policy, Oracle Financial Services Analytical Applications Infrastructure.