[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 26 Jul 2018 10:25:22 +0100
From: Rajini Sivaram <rajinisivaram@...il.com>
To: security@...ka.apache.org, oss-security@...ts.openwall.com,
announce@...che.org, Users <users@...ka.apache.org>, dev <dev@...ka.apache.org>,
kafka-clients <kafka-clients@...glegroups.com>
Subject: CVE-2018-1288: Authenticated Kafka clients may interfere with data replication
CVE-2018-1288: Authenticated Kafka clients may interfere with data
replication
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to
0.11.0.2, 1.0.0
Description:
Authenticated Kafka users may perform action reserved for the Broker via a
manually created fetch request interfering with data replication, resulting
in data loss.
Mitigation:
Apache Kafka users should upgrade to one of the following versions where
this vulnerability has been fixed.
- 0.10.2.2 or higher
- 0.11.0.3 or higher
- 1.0.1 or higher
- 1.1.0 or higher
Acknowledgements:
We would like to thank Edoardo Comar and Mickael Maison for reporting this
issue and providing a resolution.
Regards,
Rajini
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
