{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2021-38153","title":"Title"},{"category":"description","text":"Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2021-38153","url":"https://www.suse.com/security/cve/CVE-2021-38153"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1190852 for CVE-2021-38153","url":"https://bugzilla.suse.com/1190852"}],"title":"SUSE CVE CVE-2021-38153","tracking":{"current_release_date":"2025-04-25T04:34:13Z","generator":{"date":"2023-02-15T03:38:48Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2021-38153","initial_release_date":"2023-02-15T03:38:48Z","revision_history":[{"date":"2023-02-15T03:38:48Z","number":"2","summary":"Current version"},{"date":"2025-01-01T04:16:32Z","number":"3","summary":"Current version"},{"date":"2025-02-15T04:51:15Z","number":"4","summary":"Current version"},{"date":"2025-02-17T05:13:49Z","number":"5","summary":"Current version"},{"date":"2025-03-15T08:44:43Z","number":"6","summary":"Current version"},{"date":"2025-04-25T04:34:13Z","number":"7","summary":"Current version"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"HPE Helion OpenStack 8","product":{"name":"HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8","product_identification_helper":{"cpe":"cpe:/o:suse:hpe-helion-openstack:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 8","product":{"name":"SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 9","product":{"name":"SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:9"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_version","name":"kafka","product":{"name":"kafka","product_id":"kafka","product_identification_helper":{"cpe":"cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/kafka@?upstream=kafka.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"kafka as component of HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8:kafka"},"product_reference":"kafka","relates_to_product_reference":"HPE Helion OpenStack 8"},{"category":"default_component_of","full_product_name":{"name":"kafka as component of SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8:kafka"},"product_reference":"kafka","relates_to_product_reference":"SUSE OpenStack Cloud 8"},{"category":"default_component_of","full_product_name":{"name":"kafka as component of SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9:kafka"},"product_reference":"kafka","relates_to_product_reference":"SUSE OpenStack Cloud 9"},{"category":"default_component_of","full_product_name":{"name":"kafka as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:kafka"},"product_reference":"kafka","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"kafka as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:kafka"},"product_reference":"kafka","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2021-38153","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-38153"}],"notes":[{"category":"general","text":"Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.","title":"CVE description"}],"product_status":{"known_not_affected":["HPE Helion OpenStack 8:kafka","SUSE OpenStack Cloud 8:kafka","SUSE OpenStack Cloud 9:kafka","SUSE OpenStack Cloud Crowbar 8:kafka","SUSE OpenStack Cloud Crowbar 9:kafka"]},"references":[{"category":"external","summary":"CVE-2021-38153","url":"https://www.suse.com/security/cve/CVE-2021-38153"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1190852 for CVE-2021-38153","url":"https://bugzilla.suse.com/1190852"}],"threats":[{"category":"impact","date":"2021-09-21T18:00:08Z","details":"moderate"}],"title":"CVE-2021-38153"}]}