Memory Allocation with Excessive Size Value Affecting org.apache.kafka:generator package, versions [2.8.0,2.8.2) [3.0.0,3.0.2) [3.1.0,3.1.2) [3.2.0,3.2.3)


0.0
high
  • Attack Complexity

    Low

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHEKAFKA-3030062

  • published

    20 Sep 2022

  • disclosed

    20 Sep 2022

  • credit

    Mickael Maison, Tom Bentley and Daniel Collins

How to fix?

Upgrade org.apache.kafka:generator to version 2.8.2, 3.0.2, 3.1.2, 3.2.3 or higher.

Overview

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value which allows a malicious unauthenticated client to allocate large amounts of memory on brokers.

Note:

  1. This vulnerability was actually fixed in 3.2.2, but due to an unrelated major bug in this release, we recommend users upgrade to 3.2.3.

  2. The fixed code exists in two components, which means that clients and generator were both affected.