Bug 2130018 (CVE-2022-34917)

Summary: CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anstephe, avibelli, bgeorges, bmaxwell, chazlett, clement.escoffier, dandread, dkreling, gsmet, hamadhan, jochrist, jross, jscholz, jwon, krathod, lthon, mmclaugh, mmillson, mokumar, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kafka 2.8.2, kafka 3.0.2, kafka 3.1.2, kafka 3.2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Kafka that allows malicious unauthenticated clients to allocate large amounts of memory on brokers, which could lead to an Out Of Memory Exception, causing a denial of service. Various authentication methods were affected in different degrees. In Kafka clusters without authentication, any client able to connect to a broker could trigger the issue. In Kafka clusters with SASL authentication, any client able to connect to a broker without the need for valid SASL credentials could trigger the issue. Lastly, in Kafka clusters with TLS authentication, only clients able to successfully authenticate via TLS could trigger the issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-03 20:47:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2128684    

Description Chess Hazlett 2022-09-26 22:11:01 UTC 
Apache Kafka allows malicious unauthenticated clients to allocate large amounts of memory on brokers, and could lead to OutOfMemoryException and causing denial of service. The following auth methods were affected:
Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue.
Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue.
Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue.
Comment 3 errata-xmlrpc 2022-10-05 14:30:50 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.2.0

Via RHSA-2022:6819 https://access.redhat.com/errata/RHSA-2022:6819