814218 – (CVE-2021-38153) <net-misc/kafka-bin-2.8.1: Arrays.equals timing attack vulnerability

Bug 814218 (CVE-2021-38153) - <net-misc/kafka-bin-2.8.1: Arrays.equals timing attack vulnerability

Summary: <net-misc/kafka-bin-2.8.1: Arrays.equals timing attack vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2021-38153

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://kafka.apache.org/cve-list
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-09-21 20:36 UTC by John Helmert III
Modified:	2021-09-22 23:56 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-09-21 20:36:43 UTC

CVE-2021-38153:

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed.

Please bump.

Comment 1 Patrick Lauer gentoo-dev

2021-09-22 12:32:25 UTC

Bumped, old ebuilds removed in f2e80bca2da029ff8ea4f8f900f75bd391c27f16