[jira] [Updated] (AMBARI-25798) Upgrade jackson-databind version to 2.12.7.1

Sandeep Kumar (Jira) Mon, 05 Dec 2022 07:44:08 -0800


     [ 
https://issues.apache.org/jira/browse/AMBARI-25798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sandeep Kumar updated AMBARI-25798:
-----------------------------------
    Description: 
CVE-2018-17196:
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually 
craft a Produce request which bypasses transaction/idempotent ACL validation. 
Only authenticated clients with Write permission on the respective topics are 
able to exploit this vulnerability. Users should upgrade to 2.1.1 or later 
where this vulnerability has been fixed.

CVE-2021-38153:
Some components in Apache Kafka use `Arrays.equals` to validate a password or 
key, which is vulnerable to timing attacks that make brute force attacks for 
such credentials more likely to be successful. Users should upgrade to 2.8.1 or 
higher, or 3.0.0 or higher where this vulnerability has been fixed. The 
affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 
2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 
2.7.0, 2.7.1, and 2.8.0.

> Upgrade jackson-databind version to 2.12.7.1
> --------------------------------------------
>
>                 Key: AMBARI-25798
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25798
>             Project: Ambari
>          Issue Type: Story
>            Reporter: Sandeep Kumar
>            Priority: Major
>
> CVE-2018-17196:
> In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to 
> manually craft a Produce request which bypasses transaction/idempotent ACL 
> validation. Only authenticated clients with Write permission on the 
> respective topics are able to exploit this vulnerability. Users should 
> upgrade to 2.1.1 or later where this vulnerability has been fixed.
> CVE-2021-38153:
> Some components in Apache Kafka use `Arrays.equals` to validate a password or 
> key, which is vulnerable to timing attacks that make brute force attacks for 
> such credentials more likely to be successful. Users should upgrade to 2.8.1 
> or higher, or 3.0.0 or higher where this vulnerability has been fixed. The 
> affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 
> 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 
> 2.7.0, 2.7.1, and 2.8.0.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (AMBARI-25798) Upgrade jackson-databind version to 2.12.7.1

Reply via email to