[ https://issues.apache.org/jira/browse/AMBARI-25806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sandeep Kumar reassigned AMBARI-25806: -------------------------------------- Assignee: Sandeep Kumar > Upgrade kafka clients to resolve CVEs > ------------------------------------- > > Key: AMBARI-25806 > URL: https://issues.apache.org/jira/browse/AMBARI-25806 > Project: Ambari > Issue Type: Bug > Reporter: Sandeep Kumar > Assignee: Sandeep Kumar > Priority: Major > Labels: pull-request-available > > CVE-2018-17196: > In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to > manually craft a Produce request which bypasses transaction/idempotent ACL > validation. Only authenticated clients with Write permission on the > respective topics are able to exploit this vulnerability. Users should > upgrade to 2.1.1 or later where this vulnerability has been fixed. > CVE-2021-38153: > Some components in Apache Kafka use `Arrays.equals` to validate a password or > key, which is vulnerable to timing attacks that make brute force attacks for > such credentials more likely to be successful. Users should upgrade to 2.8.1 > or higher, or 3.0.0 or higher where this vulnerability has been fixed. The > affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, > 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, > 2.7.0, 2.7.1, and 2.8.0. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@ambari.apache.org For additional commands, e-mail: issues-h...@ambari.apache.org