VDB
RHSA-2022%3A0219
RHSA-2022%3A0219
PUBLISHED
CVSS 5.900000095367432 MEDIUM
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Risk Scores
CVSS 3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat AMQ Streams 1.6.6 |
Timeline
- Jan 20, 2022 CVE Published
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 29, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2022:0219 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=1.6.6 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2009041 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2034067 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0219.json advisory
- https://access.redhat.com/security/cve/CVE-2021-38153 advisory
- https://www.cve.org/CVERecord?id=CVE-2021-38153 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-38153 advisory
- https://access.redhat.com/security/cve/CVE-2021-45105 advisory
- https://www.cve.org/CVERecord?id=CVE-2021-45105 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-45105 advisory
- https://issues.apache.org/jira/browse/LOG4J2-3230 advisory
- https://logging.apache.org/log4j/2.x/security.html advisory
- https://www.openwall.com/lists/oss-security/2021/12/19/1 advisory