CVE Reference: CVE-2021-38153
Impacted versions: CP 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.1, 6.1.2, 6.2.0
Recommended action: Update Confluent Platform to 5.2.6, 5.3.6, 5.4.5, 5.5.6, 6.0.4, 6.1.3, 6.2.1 or newer versions
Specific Connect workers running on distributed connect clusters leverage an internal "POST /connectors/{connectorName}/tasks" API end-point to communicate with other workers, and this communication is secured with a session key. The session key is automatically generated and periodically rotated every hour, though a custom interval can be specified with the inter.worker.key.ttl.ms distributed worker configuration. Verification of this signed session key used a non-constant time comparison check which is subject to the theoretical possibility of brute-force attacks that exploit differences in response times to infer the signed session key. Successful exploitation would result in the exposure of the session key, and the potential to use the aforementioned internal REST API.
Kafka clients also used non-constant time checks for certain credential verification operations. The vulnerability was fixed by using constant-time comparison checks for all security token verification operations to prevent the possibility of successful brute-force attacks due to timing discrepancies.
We have included fixes in the updated patch release versions 5.2.6, 5.3.6, 5.4.5, 5.5.6, 6.0.4, 6.1.3, 6.2.1 (and newer versions) of Confluent Platform. These fixes adequately address this issue, and are no longer susceptible to timing attacks.
CVSS Score: 6.8
CVSS v3.1 Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N