CVE-2021-38153 Security issue in Searchguard package

Our Security scans detected Security vulnerability on package that is used in serchgurad.
Could you please upgrade this package to resolve the issue, state that Searchguard is not vulnerable with this.

Describe the issue:

Affected versions of this package are vulnerable to Timing Attack. Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to brute force attacks by malicious users.


Upgrade org.apache.kafka:kafka-clients to version 2.8.1, 2.7.2 or higher.
Severity: High

Path: search-guard-7/kafka-clients-2.5.1.jar
ID: VULNDB-268486, CVE-2021-38153

Which version of Search Guard are you using? Search Guard FLX 1.0.0 does not have any dependency on the kafka-clients component.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.