CVE-2021-38153 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-38153 Interim 1 10 2025-02-17T00:30:22Z current 2021-09-25T01:40:31Z 2025-02-17T00:30:22Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-38153 Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 kafka kafka as a component of HPE Helion OpenStack 8 kafka as a component of SUSE OpenStack Cloud 8 kafka as a component of SUSE OpenStack Cloud 9 kafka as a component of SUSE OpenStack Cloud Crowbar 8 kafka as a component of SUSE OpenStack Cloud Crowbar 9 Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. CVE-2021-38153 HPE Helion OpenStack 8:kafka SUSE OpenStack Cloud 8:kafka SUSE OpenStack Cloud 9:kafka SUSE OpenStack Cloud Crowbar 8:kafka SUSE OpenStack Cloud Crowbar 9:kafka moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N