Date: Thu, 26 Jul 2018 10:19:45 +0100 From: Rajini Sivaram <rsivaram@...che.org> To: security@...ka.apache.org, oss-security@...ts.openwall.com, announce@...che.org, Users <users@...ka.apache.org>, dev <dev@...ka.apache.org>, kafka-clients <kafka-clients@...glegroups.com> Subject: CVE-2017-12610: Authenticated Kafka clients may impersonate other users CVE-2017-12610: Authenticated Kafka clients may impersonate other users Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Kafka 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1 Description: Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka. Mitigation: Apache Kafka users should upgrade to one of the following versions where this vulnerability has been fixed: - 0.10.2.2 or higher - 0.11.0.2 or higher - 1.0.0 or higher Acknowledgements: This issue was reported by Rajini Sivaram. Regards, Rajini
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ