Bug 1732309 (CVE-2018-17196) - CVE-2018-17196 kafka: potential to bypass transaction/idempotent ACL checks
Summary: CVE-2018-17196 kafka: potential to bypass transaction/idempotent ACL checks
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-17196
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1732312
TreeView+ depends on / blocked
 
Reported: 2019-07-23 07:11 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:18 UTC (History)
28 users (show)

Fixed In Version: kafka 2.1.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-30 19:07:18 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-23 07:11:09 UTC
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability.

Comment 1 Dhananjay Arunesh 2019-07-23 07:14:18 UTC
External References:

https://www.mail-archive.com/dev@kafka.apache.org/msg99277.html

Comment 2 Salvatore Bonaccorso 2019-07-26 07:14:10 UTC
Hi

I see ther Alias was corrected from CVE-2019-17196 to the correct CVE (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the cve-metadata from bugzilla XML file at https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml still contains the 2019 CVE.

Could you check if maybe some update to the file is missing?

Regards,
Salvatore

Comment 3 Doran Moppert 2019-08-02 01:17:55 UTC
Thanks Salvatore,

This has been reported to the team responsible for /security/data/metrics; expect an update here soon.

Comment 5 Salvatore Bonaccorso 2019-08-02 18:56:37 UTC
Okay thank you Doran!

Comment 6 Stephen Herr 2019-08-07 15:52:01 UTC
(In reply to Salvatore Bonaccorso from comment #2)
> I see ther Alias was corrected from CVE-2019-17196 to the correct CVE
> (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the
> cve-metadata from bugzilla XML file at
> https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml
> still contains the 2019 CVE.

It is fixed now, thanks for pointing it out!

Comment 7 Joshua Padman 2019-08-12 02:29:22 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat Mobile Application Platform

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 9 Product Security DevOps Team 2019-08-30 19:07:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-17196


Note You need to log in before you can comment on or make changes to this bug.