CVE-2021-38153

Description

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

How to fix CVE-2021-38153

To remediate CVE-2021-38153, upgrade the affected package to a fixed version below.

• —upgrade to 2.6.3 or later
• —no fix listed
• —upgrade to 2.6.3 or later
• —upgrade to 2.6.3 or later
• —upgrade to 2.6.3 or later

Is CVE-2021-38153 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 2.0.0, < 2.6.3, >= 2.7.0, < 2.7.2, >= 2.8.0, < 2.8.1
• >= 2.0.0, <= 2.4.1
• >= 2.0.0, < 2.6.3
• >= 2.4.0, < 2.6.3
• >= 2.0.0, < 2.6.3

CVSS scores

References (21)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-38153
• PATCHgithub.com/apache/kafka
• WEBkafka.apache.org/cve-list
• WEBlists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E