CVE-2021-38153

{"id": "CVE-2021-38153", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2021-09-22T09:15:07.847", "references": [{"url": "https://kafka.apache.org/cve-list", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."}, {"lang": "es", "value": "Algunos componentes de Apache Kafka usan \"Arrays.equals\" para comprender una contrase\u00f1a o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan m\u00e1s probabilidades de \u00e9xito. Los usuarios deben actualizar a la versi\u00f3n 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. Las versiones afectadas son Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1 y 2.8.0"}], "lastModified": "2023-11-07T03:37:22.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37D255E1-95C1-4A9B-B934-E2F0DB117CF2", "versionEndExcluding": "2.6.3", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2F46DB5-7FE5-4496-AC7F-CA471BBE3866", "versionEndExcluding": "2.7.2", "versionStartIncluding": "2.7.0"}, {"criteria": "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF660B80-E5F4-4253-95F6-91AABDDC8944"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6677F86F-5933-460E-B978-23A4C1407CB0", "versionEndExcluding": "2.2.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B", "versionEndExcluding": "12.0.0.4.6"}, {"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557"}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D"}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF", "versionEndIncluding": "8.0.9.0", "versionStartIncluding": "8.0.6.0"}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5DCBA98-B60C-4D51-960D-2C0833762CC7", "versionEndIncluding": "8.1.20", "versionStartIncluding": "8.1.0.0.0"}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596", "versionEndIncluding": "8.0.8.0", "versionStartIncluding": "8.0.6.0.0"}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6"}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B"}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F"}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A"}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4BDDBCD-4038-4BEC-91DB-587C2FBC6369"}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B"}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E"}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C"}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF"}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2"}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F"}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06"}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}