UBUNTU-CVE-2021-38153

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2021-38153
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38153.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2021-38153
Related
Published
2021-09-22T09:15:00Z
Modified
2024-10-15T14:08:20Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

References

Affected packages

Ubuntu:Pro:18.04:LTS / kafka

Package

Name
kafka
Purl
pkg:deb/ubuntu/kafka?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.0u2-0ubuntu3.1
2.2.0u2-0ubuntu3.2
2.2.2u1-0ubuntu1+esm2

Ecosystem specific 

{
    "ubuntu_priority": "low"
}