Security Advisory regarding TIBCO Messaging - Apache Kafka Distribution
Article ID: KB0108065
Updated On:
| Products | Versions |
|---|---|
| TIBCO Messaging - Bridge for Apache Kafka - Enterprise Edition | 2.1.0 and below |
Description
Apache Kafka Vulnerable To Persistent Remote Denial Of Service Via Topic Names
Original release date: June 11, 2019
Last revised: ---
Source: TIBCO Software Inc.
The following component is affected:
* Topic management
Description
The component listed above contains a vulnerability that theoretically allows
a user with permission to create topics which will trigger an unexpected
server process exit. With the specially crafted topic names, when the server
deletes at user request, discards according to retention policy, or
repartitions, it is theoretically possible that the server will terminate
unexpectedly.
Impact
The impact of this vulnerability includes the theoretical possibility that
a malicious user could unexpectedly terminate a cluster of Kafka server
processes. The possibility exists that attempts to restart the server will
also fail.
CVSS v3 Base Score: 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Environment
Resolution
TIBCO has released updated versions of the affected systems which
address these issues.
TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition
versions 2.1.0 and below upgrade to version 2.2.0-1
TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition
versions 2.1.0 and below upgrade to version 2.2.0-1
Issue/Introduction
Additional Information
TIBCO would like to extend its appreciation to Dave Yesland of Rhino Security
Labs for discovery of this vulnerability.
References
http://www.tibco.com/services/support/advisories
Feedback
