Dear Apache Kafka Users, We want to bring to your attention a security vulnerability affecting all released versions of Apache Kafka that have a dependency on Zookeeper. The vulnerability, identified as CVE-2023-44981 [1], specifically impacts users utilizing SASL Quorum Peer authentication in Zookeeper.
Vulnerability Details: - Affected Versions: All released versions of Apache Kafka with Zookeeper dependency. - CVE Identifier: CVE-2023-44981 [1] - Impact: Limited to users employing SASL Quorum Peer authentication in Zookeeper (quorum.auth.enableSasl=true) Action Required: Upcoming Apache Kafka versions, 3.6.1 (release date - tentative Dec '23) and 3.7.0 (release date - Jan'23 [3]), will depend on Zookeeper versions containing fixes for the vulnerability. In the interim, we highly advise taking proactive steps to safeguard Zookeeper ensemble election/quorum communication by implementing a firewall [2]. Future Updates: We are diligently working on addressing this vulnerability in our upcoming releases. We will keep you updated on any changes to our recommendations and promptly inform you of the release dates for Apache Kafka versions 3.6.1 and 3.7.0. If you have any further questions regarding this, please don't hesitate to reach out to us at secur...@kafka.apache.org or post a comment at https://issues.apache.org/jira/browse/KAFKA-15658 Best Regards, Divij Vaidya On behalf of Apache Kafka PMC [1] https://zookeeper.apache.org/security.html#CVE-2023-44981 [2] https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b [3] https://cwiki.apache.org/confluence/display/KAFKA/Release+Plan+3.7.0 --
