Hi Randall, Could you please share the JIRA ticket or the fixing commit? It might help to evaluate the impact better. Thank you!
Ivan On Tue, 21 Sept 2021 at 19:37, Randall Hauch <rha...@apache.org> wrote: > Severity: moderate > > Description: > > Some components in Apache Kafka use `Arrays.equals` to validate a > password or key, which is vulnerable to timing attacks that make brute > force attacks for such credentials more likely to be successful. Users > should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this > vulnerability has been fixed. The affected versions include Apache > Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, > 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and > 2.8.0. > > Credit: > > Apache Kafka would like to thank J. Santilli for reporting this issue. > > References: > https://kafka.apache.org/cve-list >
