[
https://issues.apache.org/jira/browse/AMBARI-25806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated AMBARI-25806:
------------------------------------
Labels: pull-request-available (was: )
> Upgrade kafka clients to resolve CVEs
> -------------------------------------
>
> Key: AMBARI-25806
> URL: https://issues.apache.org/jira/browse/AMBARI-25806
> Project: Ambari
> Issue Type: Bug
> Reporter: Sandeep Kumar
> Priority: Major
> Labels: pull-request-available
>
> CVE-2018-17196:
> In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to
> manually craft a Produce request which bypasses transaction/idempotent ACL
> validation. Only authenticated clients with Write permission on the
> respective topics are able to exploit this vulnerability. Users should
> upgrade to 2.1.1 or later where this vulnerability has been fixed.
> CVE-2021-38153:
> Some components in Apache Kafka use `Arrays.equals` to validate a password or
> key, which is vulnerable to timing attacks that make brute force attacks for
> such credentials more likely to be successful. Users should upgrade to 2.8.1
> or higher, or 3.0.0 or higher where this vulnerability has been fixed. The
> affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0,
> 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2,
> 2.7.0, 2.7.1, and 2.8.0.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ambari.apache.org
For additional commands, e-mail: issues-h...@ambari.apache.org
