Bug 2130018 (CVE-2022-34917) - CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers
Summary: CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-34917
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2128684
TreeView+ depends on / blocked
 
Reported: 2022-09-26 22:11 UTC by Chess Hazlett
Modified: 2023-01-12 04:01 UTC (History)
27 users (show)

Fixed In Version: kafka 2.8.2, kafka 3.0.2, kafka 3.1.2, kafka 3.2.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-03 20:47:00 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6819 0 None None None 2022-10-05 14:30:54 UTC

Description Chess Hazlett 2022-09-26 22:11:01 UTC
Apache Kafka allows malicious unauthenticated clients to allocate large amounts of memory on brokers, and could lead to OutOfMemoryException and causing denial of service. The following auth methods were affected:
Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue.
Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue.
Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue.

Comment 3 errata-xmlrpc 2022-10-05 14:30:50 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.2.0

Via RHSA-2022:6819 https://access.redhat.com/errata/RHSA-2022:6819


Note You need to log in before you can comment on or make changes to this bug.