VDB

CVE-2022-34917

CVE-2022-34917 PUBLISHED

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.

EPSS 0.08% · 23.3th percentile

Risk Scores

EPSS Score
0.08%
23.3th percentile

Affected Products

VendorProductVersions
Bitnamikafka3.2.0, 2.8.0, 3.0.0
Bitnamikafka3.0.0, 3.1.0, 3.2.0

Timeline

  • Sep 19, 2022 CVE Published
  • Sep 21, 2022 EPSS Score
  • Nov 5, 2022 EPSS Score
  • Dec 19, 2022 EPSS Score
  • Feb 2, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • May 3, 2023 EPSS Score
  • Jun 16, 2023 EPSS Score
  • Jul 31, 2023 EPSS Score
  • Sep 14, 2023 EPSS Score
  • Oct 29, 2023 EPSS Score
  • Dec 12, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›