Bug 2130018 (CVE-2022-34917)
Summary: | CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | anstephe, avibelli, bgeorges, bmaxwell, chazlett, clement.escoffier, dandread, dkreling, gsmet, hamadhan, jochrist, jross, jscholz, jwon, krathod, lthon, mmclaugh, mmillson, mokumar, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kafka 2.8.2, kafka 3.0.2, kafka 3.1.2, kafka 3.2.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Apache Kafka that allows malicious unauthenticated clients to allocate large amounts of memory on brokers, which could lead to an Out Of Memory Exception, causing a denial of service. Various authentication methods were affected in different degrees. In Kafka clusters without authentication, any client able to connect to a broker could trigger the issue. In Kafka clusters with SASL authentication, any client able to connect to a broker without the need for valid SASL credentials could trigger the issue. Lastly, in Kafka clusters with TLS authentication, only clients able to successfully authenticate via TLS could trigger the issue.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-10-03 20:47:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2128684 |
Description
Chess Hazlett
2022-09-26 22:11:01 UTC
This issue has been addressed in the following products: Red Hat AMQ Streams 2.2.0 Via RHSA-2022:6819 https://access.redhat.com/errata/RHSA-2022:6819 |