Lucene search

IBM4011B6F36DEBD9C43CFA930BA646A07167A3C49E7B0C92A0732645741514CCE4

HistoryNov 14, 2022 - 4:37 a.m.

Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics - Log Analysis (CVE-2021-38153)

2022-11-1404:37:58

www.ibm.com

apache kafka

ibm operations analytics

log analysis

vulnerability

timing attack

remote attacker

sensitive information

cve-2021-38153

brute-force attack

credentials information

upgrade

fix

version 1.3.7.2

scalable data collection architecture

configuring apache kafka brokers

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

59.8%

JSON

Summary

Apache Kafka is vulnerable to timing attacks that could allow remote attacker to obtain sensitive information

Vulnerability Details

CVEID:CVE-2021-38153
**DESCRIPTION:**Apache Kafka could allow a remote attacker to obtain sensitive information, caused by a timing attack flaw due to the use of “Arrays.equals” to validate a password or key. By utilizing brute-force attack techniques, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209762 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.5.3
Log Analysis	1.3.6.0
Log Analysis	1.3.6.1
Log Analysis	1.3.7.0
Log Analysis	1.3.7.1
Log Analysis	1.3.7.2

Remediation/Fixes

Version	Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2	Upgrade to Log Analysis version 1.3.7.2 Interim Fix 3. Download the 1.3.7.2-TIV-IOALA-IF003. For Log Analysis prior to 1.3.7.2, upgrade to 1.3.7-TIV-IOALA-FP2 before installing this fix.

For deploying scalable data collection architecture, during configuring Apache Kafka brokers download Apache Kafka v2.8.1 or later instead of using Apache Kafka is bundled with Log Analysis

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsmartcloud_analytics_log_analysisMatch1.3.5.3

ibmsmartcloud_analytics_log_analysisMatch1.3.6.0

ibmsmartcloud_analytics_log_analysisMatch1.3.6.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.0

ibmsmartcloud_analytics_log_analysisMatch1.3.7.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.2

VendorProductVersionCPE
ibmsmartcloud_analytics_log_analysis1.3.5.3cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.5.3:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.6.0cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.6.0:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.6.1cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.6.1:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.7.0cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.0:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.7.1cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.1:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.7.2cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	smartcloud_analytics_log_analysis	1.3.5.3	cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.5.3:::::::*
ibm	smartcloud_analytics_log_analysis	1.3.6.0	cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.6.0:::::::*
ibm	smartcloud_analytics_log_analysis	1.3.6.1	cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.6.1:::::::*
ibm	smartcloud_analytics_log_analysis	1.3.7.0	cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.0:::::::*
ibm	smartcloud_analytics_log_analysis	1.3.7.1	cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.1:::::::*
ibm	smartcloud_analytics_log_analysis	1.3.7.2	cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.2:::::::*