{ "id": "CVE-2021-38153", "sourceIdentifier": "security@apache.org", "published": "2021-09-22T09:15:07.847", "lastModified": "2022-10-05T18:23:37.230", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0." }, { "lang": "es", "value": "Algunos componentes de Apache Kafka usan \"Arrays.equals\" para comprender una contrase\u00f1a o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan m\u00e1s probabilidades de \u00e9xito. Los usuarios deben actualizar a la versi\u00f3n 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. Las versiones afectadas son Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1 y 2.8.0" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.2, "impactScore": 3.6 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-203" } ] }, { "source": "security@apache.org", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-203" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.6.3", "matchCriteriaId": "37D255E1-95C1-4A9B-B934-E2F0DB117CF2" }, { "vulnerable": true, "criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.7.0", "versionEndExcluding": "2.7.2", "matchCriteriaId": "E2F46DB5-7FE5-4496-AC7F-CA471BBE3866" }, { "vulnerable": true, "criteria": "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*", "matchCriteriaId": "AF660B80-E5F4-4253-95F6-91AABDDC8944" } ] } ] }, { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.4", "matchCriteriaId": "6677F86F-5933-460E-B978-23A4C1407CB0" } ] } ] }, { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.0.0.4.6", "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.6.0", "versionEndIncluding": "8.0.9.0", "matchCriteriaId": "16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0.0.0", "versionEndIncluding": "8.1.20", "matchCriteriaId": "A5DCBA98-B60C-4D51-960D-2C0833762CC7" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.6.0.0", "versionEndIncluding": "8.0.8.0", "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "D4BDDBCD-4038-4BEC-91DB-587C2FBC6369" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06" }, { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2" } ] } ] } ], "references": [ { "url": "https://kafka.apache.org/cve-list", "source": "security@apache.org", "tags": [ "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Patch", "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Patch", "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Release Notes", "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Release Notes", "Vendor Advisory" ] }, { "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E", "source": "security@apache.org", "tags": [ "Mailing List", "Release Notes", "Vendor Advisory" ] }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "source": "security@apache.org", "tags": [ "Patch", "Third Party Advisory" ] }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html", "source": "security@apache.org", "tags": [ "Third Party Advisory" ] }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html", "source": "security@apache.org", "tags": [ "Third Party Advisory" ] } ] }