CVE-2021-38153

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 2.0.0 through 2.8.0

Description The issue in Apache Kafka is related to the disclosure of information through inconsistency, allowing a remote attacker to perform a brute force attack. Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful.

Recommendations For Apache Kafka versions 2.0.0 through 2.8.0, upgrade to 2.8.1 or higher, or 3.0.0 or higher where this issue has been fixed. As a temporary workaround, consider restricting access to sensitive components that use Arrays.equals for password or key validation until a patch is available. Avoid using weak passwords or keys in the affected versions to minimize the risk of exploitation.