CVE-2022-34917

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 2.8.0 through 3.2.2 Apache Kafka versions 2.8.0 through 3.1.1 Apache Kafka versions 2.8.0 through 3.0.1 Apache Kafka versions 2.8.0 through 2.8.1

Description A security issue in Apache Kafka is related to uncontrolled resource allocation or throttling. Exploitation of this issue can allow a remote attacker to cause a denial of service. The issue affects all releases since 2.8.0 and allows malicious unauthenticated clients to allocate large amounts of memory on brokers, leading to OutOfMemoryException. Example scenarios include Kafka clusters without authentication, with SASL authentication, and with TLS authentication, where clients can trigger the issue under different conditions.

Recommendations To resolve the issue, upgrade the Kafka installations to one of the following versions: 3.2.3, 3.1.2, 3.0.2, or 2.8.2. As a temporary workaround, consider restricting network connections to brokers to minimize the risk of exploitation. Restrict access to the Kafka cluster to only trusted clients to reduce the risk of denial of service. Avoid using Kafka clusters without authentication or with weak authentication mechanisms until the issue is resolved.