Memory Allocation with Excessive Size Value Affecting org.apache.kafka:kafka-clients package, versions [2.8.0,2.8.2) [3.0.0,3.0.2) [3.1.0,3.1.2) [3.2.0,3.2.3)


0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHEKAFKA-3027430
  • published 20 Sep 2022
  • disclosed 20 Sep 2022
  • credit Mickael Maison, Tom Bentley and Daniel Collins

How to fix?

Upgrade org.apache.kafka:kafka-clients to version 2.8.2, 3.0.2, 3.1.2, 3.2.3 or higher.

Overview

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value which allows a malicious unauthenticated client to allocate large amounts of memory on brokers.

Note:

  1. This vulnerability was actually fixed in 3.2.2, but due to an unrelated major bug in this release, we recommend users upgrade to 3.2.3.

  2. The fixed code exists in two components, which means that clients and generator were both affected.