CVE-2021-38153 Security issue in Searchguard package

arthurpapanyan · February 8, 2023, 7:31pm

Our Security scans detected Security vulnerability on package that is used in serchgurad.
Could you please upgrade this package to resolve the issue, state that Searchguard is not vulnerable with this.

Describe the issue:
org.apache.kafka:kafka-clients

Affected versions of this package are vulnerable to Timing Attack. Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to brute force attacks by malicious users.

Resolution

Upgrade org.apache.kafka:kafka-clients to version 2.8.1, 2.7.2 or higher.
Severity: High

Path: search-guard-7/kafka-clients-2.5.1.jar
ID: VULNDB-268486, CVE-2021-38153

nils · February 10, 2023, 9:29am

Which version of Search Guard are you using? Search Guard FLX 1.0.0 does not have any dependency on the kafka-clients component.

system · March 3, 2023, 9:30am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CVE-2022-46364 \| GHSA-x3x3-qwjq-8gj4 Security Issue on SearchGuard Search Guard	2	493	March 13, 2023
Seach Guard and CVE-2022-42889 Search Guard	3	569	November 15, 2022
Is SearchGuard Affected by CVE-2020-2653 Search Guard	3	453	April 20, 2020
Search Guard v10 released (Important security fixes for DLS/FLS and Auditlog) Search Guard	0	433	January 9, 2017
Apache CXF < 3.5.8, 3.6.x < 3.6.3, 4.0.x < 4.0.4 SSRF Vulnerability on SearchGuard plugins Search Guard	0	73	April 17, 2024

CVE-2021-38153 Security issue in Searchguard package

Related Topics