Our Security scans detected Security vulnerability on package that is used in serchgurad.
Could you please upgrade this package to resolve the issue, state that Searchguard is not vulnerable with this.
Describe the issue:
org.apache.kafka:kafka-clients
Affected versions of this package are vulnerable to Timing Attack. Some components in Apache Kafka use Arrays.equals
to validate a password or key, which is vulnerable to brute force attacks by malicious users.
Resolution
Upgrade org.apache.kafka:kafka-clients
to version 2.8.1, 2.7.2 or higher.
Severity: High
Path: search-guard-7/kafka-clients-2.5.1.jar
ID: VULNDB-268486, CVE-2021-38153