QID 983504: Java (maven) Security Update for org.apache.kafka:kafka (GHSA-3j6g-hxx5-3q26)
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Successful exploitation of this vulnerability may affect the confidentiality, integrity, and availability of the targeted user.
Customers are advised to refer to GHSA-3j6g-hxx5-3q26 for updates pertaining to this vulnerability.
- GHSA-3j6g-hxx5-3q26 - github.com/advisories/GHSA-3j6g-hxx5-3q26
CVEs related to QID 983504