Date: Thu, 26 Jul 2018 10:25:22 +0100 From: Rajini Sivaram <rajinisivaram@...il.com> To: security@...ka.apache.org, oss-security@...ts.openwall.com, announce@...che.org, Users <users@...ka.apache.org>, dev <dev@...ka.apache.org>, kafka-clients <kafka-clients@...glegroups.com> Subject: CVE-2018-1288: Authenticated Kafka clients may interfere with data replication CVE-2018-1288: Authenticated Kafka clients may interfere with data replication Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0 Description: Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss. Mitigation: Apache Kafka users should upgrade to one of the following versions where this vulnerability has been fixed. - 0.10.2.2 or higher - 0.11.0.3 or higher - 1.0.1 or higher - 1.1.0 or higher Acknowledgements: We would like to thank Edoardo Comar and Mickael Maison for reporting this issue and providing a resolution. Regards, Rajini
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.