Impacted Versions
- Confluent Platform versions < 7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2
- Confluent Cloud managed clusters
Recommended Action
- Upgrade to Confluent Platform versions 7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2
- Confluent Cloud: No action needed since the issue has been already remediated in Confluent Cloud.
Issue
A security vulnerability affecting both Confluent Platform and Confluent Cloud has been identified, caused by improper handling of telemetry that the Kafka broker receives from Kafka clients. As a result of this flaw, processing maliciously crafted client telemetry can cause memory exhaustion on the Kafka broker, leading to a loss of availability.
Mitigation
There are currently no known mitigations.
Remediation
This issue is resolved in the CP patch release versions 7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2. Please upgrade to Confluent Platform versions 7.8.9, 7.9.8, 8.0.6, 8.1.4, 8.2.2.
CVSS Scores
- Confluent Platform: 5.7 (CVSS v3.1 Calculator)
- Confluent Cloud 8.6 (CVSS v3.1 Calculator)