Bug 1732309 (CVE-2018-17196)

Summary: CVE-2018-17196 kafka: potential to bypass transaction/idempotent ACL checks
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, avibelli, bgeorges, carnil, cbyrne, chazlett, cmacedo, dffrench, dmoppert, drieden, drusso, ggaughan, janstey, jbalunas, jmadigan, jochrist, jpallich, jshepherd, krathod, lthon, mszynkie, ngough, pgallagh, pwright, rruss, security-response-team, trepel, trogers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kafka 2.1.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Kafka. This flaw allows authorized clients with write permissions to manually craft a Produce request, which can bypass transaction/idempotent ACL checks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-30 19:07:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1732312    

Description Dhananjay Arunesh 2019-07-23 07:11:09 UTC 
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability.
Comment 1 Dhananjay Arunesh 2019-07-23 07:14:18 UTC 
External References:

https://www.mail-archive.com/dev@kafka.apache.org/msg99277.html
Comment 2 Salvatore Bonaccorso 2019-07-26 07:14:10 UTC 
Hi

I see ther Alias was corrected from CVE-2019-17196 to the correct CVE (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the cve-metadata from bugzilla XML file at https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml still contains the 2019 CVE.

Could you check if maybe some update to the file is missing?

Regards,
Salvatore
Comment 3 Doran Moppert 2019-08-02 01:17:55 UTC 
Thanks Salvatore,

This has been reported to the team responsible for /security/data/metrics; expect an update here soon.
Comment 5 Salvatore Bonaccorso 2019-08-02 18:56:37 UTC 
Okay thank you Doran!
Comment 6 Stephen Herr 2019-08-07 15:52:01 UTC 
(In reply to Salvatore Bonaccorso from comment #2)
> I see ther Alias was corrected from CVE-2019-17196 to the correct CVE
> (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the
> cve-metadata from bugzilla XML file at
> https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml
> still contains the 2019 CVE.

It is fixed now, thanks for pointing it out!
Comment 7 Joshua Padman 2019-08-12 02:29:22 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat Mobile Application Platform

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Product Security DevOps Team 2019-08-30 19:07:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-17196