CVE-2021-38153

MEDIUM EXPLOITED

Apache Kafka <2.8.1-2.8.0 - Timing Attack

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-38153 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

References (11)

Core 11
Core References
Vendor Advisory x_refsource_misc
https://kafka.apache.org/cve-list
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 5.9
EPSS 0.0156
EPSS Percentile 81.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-04-11
CWE
CWE-203
Status published
Products (25)
apache/kafka 2.8.0
apache/kafka 2.0.0 - 2.6.3
oracle/communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle/communications_brm_-_elastic_charging_engine < 12.0.0.4.6
oracle/communications_cloud_native_core_policy 1.15.0
oracle/financial_services_analytical_applications_infrastructure 8.0.6.0 - 8.0.9.0
oracle/financial_services_behavior_detection_platform 8.1.1.0
oracle/financial_services_behavior_detection_platform 8.1.1.1
oracle/financial_services_behavior_detection_platform 8.1.2.0
oracle/financial_services_behavior_detection_platform 8.0.6.0.0 - 8.0.8.0
... and 15 more
Published Sep 22, 2021
Tracked Since Feb 18, 2026