CVE-2021-38153
Timing Attack vulnerability in kafka_2.11 (Maven)
What is CVE-2021-38153 About?
This vulnerability is a timing attack in Apache Kafka due to the use of `Arrays.equals` for password or key validation, making brute force attacks more feasible. An attacker can use subtle differences in response times to guess credentials. Exploitation requires careful measurement and analysis of response times.
Affected Software
- org.apache.kafka:kafka_2.11
- >2.0.0, <=2.4.1
- org.apache.kafka:kafka_2.12
- >2.0.0, <2.6.3
- >2.7.0, <2.7.2
- >2.8.0, <2.8.1
- org.apache.kafka:kafka_2.13
- >2.7.0, <2.7.2
- >2.4.0, <2.6.3
- >2.8.0, <2.8.1
- org.apache.kafka:kafka-clients
- >2.0.0, <2.6.3
- >2.7.0, <2.7.2
- >2.8.0, <2.8.1
Technical Details
The vulnerability in Apache Kafka (versions 2.0.0-2.8.0 and below 3.0.0) arises from the use of Arrays.equals to compare passwords or keys. The Arrays.equals method performs a byte-by-byte comparison and stops as soon as a mismatch is found or all bytes are compared. This difference in execution time, however slight, can be observed by an attacker. By measuring the response time for authentication attempts with different guesses, an attacker can deduce which prefix of their guess matches the actual password/key. This 'timing side channel' significantly reduces the search space for brute-forcing, making it much more likely for an attacker to successfully guess credentials.
What is the Impact of CVE-2021-38153?
Successful exploitation may allow attackers to deduce passwords or keys through timing analysis, significantly increasing the likelihood of successful brute-force attacks and leading to unauthorized access to Kafka brokers and data.
What is the Exploitability of CVE-2021-38153?
Exploitation involves repeatedly submitting credentials and meticulously measuring the response times to infer character-by-character matches with the actual password or key. This is a complex attack, requiring a controlled network environment and advanced analytical capabilities. Authentication is implicitly required, as the attack targets the authentication mechanism itself. Privilege requirements are that the attacker needs to be able to make authentication requests. This is a remote access vulnerability. Special conditions include a stable network connection to minimize noise in timing measurements. Risk factors that increase exploitation likelihood include weak or easily guessable passwords, or scenarios where an attacker has multiple attempts and can accurately measure response times without being detected by rate-limiting or lockout mechanisms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-38153?
Available Upgrade Options
- org.apache.kafka:kafka_2.12
- >2.0.0, <2.6.3 → Upgrade to 2.6.3
- org.apache.kafka:kafka_2.12
- >2.7.0, <2.7.2 → Upgrade to 2.7.2
- org.apache.kafka:kafka_2.12
- >2.8.0, <2.8.1 → Upgrade to 2.8.1
- org.apache.kafka:kafka-clients
- >2.0.0, <2.6.3 → Upgrade to 2.6.3
- org.apache.kafka:kafka-clients
- >2.7.0, <2.7.2 → Upgrade to 2.7.2
- org.apache.kafka:kafka-clients
- >2.8.0, <2.8.1 → Upgrade to 2.8.1
- org.apache.kafka:kafka_2.13
- >2.4.0, <2.6.3 → Upgrade to 2.6.3
- org.apache.kafka:kafka_2.13
- >2.7.0, <2.7.2 → Upgrade to 2.7.2
- org.apache.kafka:kafka_2.13
- >2.8.0, <2.8.1 → Upgrade to 2.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-38153
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-38153?
Similar Vulnerabilities: CVE-2023-35617 , CVE-2023-38038 , CVE-2023-28430 , CVE-2022-28822 , CVE-2022-21703
