CVE-2021-38153

Published Sep 22, 2021

Last updated a year ago

CVSS medium 5.9

Overview

Description: Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Source: security@apache.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.9
Impact score: 3.6
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-203
security@apache.org: CWE-203

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "37D255E1-95C1-4A9B-B934-E2F0DB117CF2",
            "versionEndExcluding": "2.6.3",
            "versionStartIncluding": "2.0.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E2F46DB5-7FE5-4496-AC7F-CA471BBE3866",
            "versionEndExcluding": "2.7.2",
            "versionStartIncluding": "2.7.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AF660B80-E5F4-4253-95F6-91AABDDC8944"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6677F86F-5933-460E-B978-23A4C1407CB0",
            "versionEndExcluding": "2.2.4"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B",
            "versionEndExcluding": "12.0.0.4.6"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF",
            "versionEndIncluding": "8.0.9.0",
            "versionStartIncluding": "8.0.6.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A5DCBA98-B60C-4D51-960D-2C0833762CC7",
            "versionEndIncluding": "8.1.20",
            "versionStartIncluding": "8.1.0.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596",
            "versionEndIncluding": "8.0.8.0",
            "versionStartIncluding": "8.0.6.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D4BDDBCD-4038-4BEC-91DB-587C2FBC6369"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References