Apache Kafka Vulnerable To Persistent Remote Denial Of Service Via Topic Names Original release date: June 11, 2019 Last revised: --- Source: TIBCO Software Inc. Systems Affected Apache Kafka versions 2.2.0 and below. TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition versions 2.1.0 and below TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition versions 2.1.0 and below The following component is affected: * Topic management Description The component listed above contains a vulnerability that theoretically allows a user with permission to create topics which will trigger an unexpected server process exit. With the specially crafted topic names, when the server deletes at user request, discards according to retention policy, or repartitions, it is theoretically possible that the server will terminate unexpectedly. Impact The impact of this vulnerability includes the theoretical possibility that a malicious user could unexpectedly terminate a cluster of Kafka server processes. The possibility exists that attempts to restart the server will also fail. CVSS v3 Base Score: 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Solution TIBCO has released updated versions of the affected components which address these issues. TIBCO Messaging - Apache Kafka Distribution - Core - Community Edition versions 2.1.0 and below upgrade to version 2.2.0-1 TIBCO Messaging - Apache Kafka Distribution - Core - Enterprise Edition versions 2.1.0 and below upgrade to version 2.2.0-1 Acknowledgments TIBCO would like to extend its appreciation to Dave Yesland of Rhino Security Labs for discovery of this vulnerability. References http://www.tibco.com/services/support/advisories https://issues.apache.org/jira/browse/KAFKA-4893