SB2022111506 - Timing attack in IBM Operations Analytics - Log Analysis
Published: November 15, 2022
Security Bulletin ID
SB2022111506
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2021-38153)
The vulnerability allows a local user to escalate privileges on the system.
the vulnerability exists due to some components in Apache Kafka use "Arrays.equals" to validate a password or key, which is vulnerable to timing attacks. A local user can abuse the "Arrays.equals" to brute force access credentials and escalate privileges on the system.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache-kafka-affect-ibm-operations-analytics-log-analysis-cve-2021-38153/"
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache-kafka-affect-ibm-operations-analytics-log-analysis-cve-2021-38153/</a><br><a
- https://www.ibm.com/support/pages/node/6839075"
- https://www.ibm.com/support/pages/node/6839075</a><br></p>