Red Hat Kafka
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Kafka.
Recent Red Hat Kafka Security Advisories
Advisory | Title | Published |
---|---|---|
RHSA-2024:9571 | (RHSA-2024:9571) Moderate: Streams for Apache Kafka 2.8.0 release and security update | November 13, 2024 |
By the Year
In 2025 there have been 0 vulnerabilities in Red Hat Kafka. Last year, in 2024 Kafka had 6 security vulnerabilities published. Right now, Kafka is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 6 | 6.20 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 0 | 0.00 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Kafka vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Kafka Security Vulnerabilities
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote()
CVE-2024-8184
6.5 - Medium
- October 14, 2024
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
Allocation of Resources Without Limits or Throttling
There exists a security vulnerability in Jetty's DosFilter
CVE-2024-9823
- October 14, 2024
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Uncontrolled Resource Consumption vulnerability in Apache Commons IO
CVE-2024-47554
- October 03, 2024
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Resource Exhaustion
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags
CVE-2024-7254
- September 19, 2024
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
A flaw was found in Kroxylicious
CVE-2024-8285
5.9 - Medium
- August 30, 2024
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Improper Certificate Validation
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients
CVE-2024-29025
- March 25, 2024
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Kafka or by Red Hat? Click the Watch button to subscribe.