CVE-2021-38153: Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks...

Description

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

5.77%

92.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Kafka	>= 2.0.0, < 2.6.3
Apache	Kafka	>= 2.7.0, < 2.7.2
Apache	Kafka	2.8.0
Quarkus	Quarkus	< 2.2.4
Oracle	Communications Brm - Elastic Charging Engine	< 12.0.0.4.6
Oracle	Communications Brm - Elastic Charging Engine	12.0.0.5.0
Oracle	Communications Cloud Native Core Policy	1.15.0
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.0.6.0, <= 8.0.9.0
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.1.0.0.0, <= 8.1.20
Oracle	Financial Services Behavior Detection Platform	>= 8.0.6.0.0, <= 8.0.8.0
Oracle	Financial Services Behavior Detection Platform	8.1.1.0
Oracle	Financial Services Behavior Detection Platform	8.1.1.1
Oracle	Financial Services Behavior Detection Platform	8.1.2.0
Oracle	Financial Services Enterprise Case Management	8.0.7.1
Oracle	Financial Services Enterprise Case Management	8.0.7.2
Oracle	Financial Services Enterprise Case Management	8.0.8.0
Oracle	Financial Services Enterprise Case Management	8.0.8.1
Oracle	Financial Services Enterprise Case Management	8.1.1.0
Oracle	Financial Services Enterprise Case Management	8.1.1.1
Oracle	Primavera Unifier	18.8
Oracle	Primavera Unifier	19.12
Oracle	Primavera Unifier	20.12
Oracle	Primavera Unifier	21.12

References

Timeline

Published: Sep 22, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-38153?

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

How severe is CVE-2021-38153?

CVE-2021-38153 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 5.77% probability of exploitation in the next 30 days.

How do I fix CVE-2021-38153?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.