Bug 1611059 (CVE-2018-1288) - CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass
Summary: CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch reque...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1288
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1611060
TreeView+ depends on / blocked
 
Reported: 2018-08-02 02:51 UTC by Sam Fowler
Modified: 2021-02-16 23:49 UTC (History)
20 users (show)

Fixed In Version: kafka 0.10.2.2, kafka 0.11.0.3, kafka 1.0.1, kafka 1.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:35:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3768 0 None None None 2018-12-04 16:02:20 UTC

Description Sam Fowler 2018-08-02 02:51:17 UTC 
Apache Kafka before versions 0.10.2.2, 0.11.0.3, 1.0.1 and 1.1.0 allow users to perform actions reserved for the Broker via manually created fetch requests that interfere with data replication, resulting in data loss.


External Reference:

https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E


Upstream Patches:

https://github.com/apache/kafka/commit/d2932ad370c5b56edac9d99e6d75f199537a569f
https://github.com/apache/kafka/commit/580f743c3ce633241d6076ce83fb778cea86a1f6
https://github.com/apache/kafka/commit/51f0f3ee792cf9352ce61afeca098c765cdad664
Comment 2 errata-xmlrpc 2018-12-04 16:02:13 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
Note You need to log in before you can comment on or make changes to this bug.