CVE-2022-34917: Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers

Q: What is the vulnerability ID of this Apache Kafka vulnerability?

The vulnerability ID of this Apache Kafka vulnerability is CVE-2022-34917.

Q: What is the severity level of CVE-2022-34917?

CVE-2022-34917 has a severity level of high.

Q: What is the impact of CVE-2022-34917?

CVE-2022-34917 can be exploited by a remote attacker to allocate large amounts of memory on brokers, leading to a denial of service condition.

Q: Which versions of Apache Kafka are affected by this vulnerability?

Apache Kafka versions up to and exclusive of 2.8.2, 3.0.2, 3.1.2, and 3.2.3 are affected by this vulnerability.

Q: How can I fix CVE-2022-34917?

To fix CVE-2022-34917, it is recommended to update Apache Kafka to version 2.8.2 or higher.

Published Sep 20, 2022

Updated

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.

Other sources

Apache Kafka allows malicious unauthenticated clients to allocate large amounts of memory on brokers, and could lead to OutOfMemoryException and causing denial of service. The following auth methods were affected: Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue.

— Red Hat

Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to allocate large amounts of memory on brokers, and results in a denial of service condition.

— IBM

Affected Software

15 affected componentsFixes available

Apache Kafka>=2.8.0<2.8.2

Apache Kafka>=3.0.0<3.0.2

Apache Kafka>=3.1.0<3.1.2

Apache Kafka>=3.2.0<3.2.3

redhat/kafka<2.8.2

2.8.2

redhat/kafka<3.0.2

3.0.2

redhat/kafka<3.1.2

3.1.2

redhat/kafka<3.2.3

3.2.3

maven/org.apache.kafka:kafka>=3.2.0<3.2.3

3.2.3

maven/org.apache.kafka:kafka>=3.1.0<3.1.2

3.1.2

maven/org.apache.kafka:kafka>=3.0.0<3.0.2

3.0.2

maven/org.apache.kafka:kafka>=2.8.0<2.8.2

2.8.2

IBM Security Guardium<=11.3

IBM Security Guardium<=11.4

IBM Security Guardium<=11.5

Event History

Sep 20, 2022

CVE Published

via MITRE·08:35 AM

Data Sourced

via MITRE·08:35 AM

DescriptionWeakness

Sep 21, 2022

Advisory Published

via GitHub·12:00 AM

Parent advisories

This vulnerability appears in the following advisories.

IBM-6848317

Frequently Asked Questions

What is the vulnerability ID of this Apache Kafka vulnerability?

The vulnerability ID of this Apache Kafka vulnerability is CVE-2022-34917.

What is the severity level of CVE-2022-34917?

CVE-2022-34917 has a severity level of high.

What is the impact of CVE-2022-34917?