apache kafka CVE-2021-38153 vulnerability in Apache and Other Products
Published on September 22, 2021

Timing Attack Vulnerability for Apache Kafka Connect and Clients

product logo product logo product logo
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

NVD

Weakness Type

What is a Side Channel Attack Vulnerability?

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product's operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel.

CVE-2021-38153 has been classified to as a Side Channel Attack vulnerability or weakness.


Products Associated with CVE-2021-38153

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-38153 are published in these products:

Apache Kafka
 
Quarkus
 
Oracle Primavera Unifier
 
Oracle Financial Services Enterprise Case Management
 
Oracle Financial Services Behavior Detection Platform
 
Oracle Communications Cloud Native Core Policy
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Communications Brm Elastic Charging Engine
 

Affected Versions

Apache Software Foundation Apache Kafka:

Exploit Probability

EPSS
1.43%
Percentile
80.40%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.