Thanks Rajini and the rest of the security team for handling this issue. For people interested in more details about the issue and its discovery we've published a blog post: https://developer.ibm.com/dwblog/2018/anatomy-kafka-cve/
On Thu, Jul 26, 2018 at 10:25 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > > CVE-2018-1288: Authenticated Kafka clients may interfere with data > replication > > > > Severity: Moderate > > > > Vendor: The Apache Software Foundation > > > > Versions Affected: > > Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, > 1.0.0 > > > > Description: > > Authenticated Kafka users may perform action reserved for the Broker via a > manually created fetch request interfering with data replication, resulting > in data loss. > > > > Mitigation: > > Apache Kafka users should upgrade to one of the following versions where > this vulnerability has been fixed. > > 0.10.2.2 or higher > 0.11.0.3 or higher > 1.0.1 or higher > 1.1.0 or higher > > > > Acknowledgements: > > We would like to thank Edoardo Comar and Mickael Maison for reporting this > issue and providing a resolution. > > > > Regards, > > > Rajini
