An update for kafka is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-2062 Final 1.0 1.0 2022-11-11 Initial 2022-11-11 2022-11-11 openEuler SA Tool V1.0 2022-11-11 kafka security update An update for kafka is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications. Security Fix(es): When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.(CVE-2019-12399) A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.(CVE-2022-34917) An update for kafka is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kafka https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2062 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2019-12399 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-34917 https://nvd.nist.gov/vuln/detail/CVE-2019-12399 https://nvd.nist.gov/vuln/detail/CVE-2022-34917 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS kafka-2.8.2-1.oe1.aarch64.rpm kafka-2.8.2-1.oe1.aarch64.rpm kafka-2.8.2-1.oe2203.aarch64.rpm kafka-2.8.2-1.oe1.src.rpm kafka-2.8.2-1.oe1.src.rpm kafka-2.8.2-1.oe2203.src.rpm kafka-2.8.2-1.oe1.x86_64.rpm kafka-2.8.2-1.oe1.x86_64.rpm kafka-2.8.2-1.oe2203.x86_64.rpm When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector s task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. 2022-11-11 CVE-2019-12399 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kafka security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2062 A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions. 2022-11-11 CVE-2022-34917 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kafka security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2062