CVE-2021-38153
moderate-risk
Published 2021-09-22
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Do I need to act?
~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
Kafka
Kafka
References (22)
Vendor Advisory
https://kafka.apache.org/cve-list
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Vendor Advisory
https://kafka.apache.org/cve-list
and 2 more references
41
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
3/34 · Minimal
Exposure
20/34 · Moderate