Apache Kafka CVE-2022-34917: Unauthenticated clients may cause OutOfMemoryError on brokers

Jakub Scholz

As you might have noticed, there is a new CVE in Apache Kafka: CVE-2022-34917. Kafka 3.2.3 and 3.1.2 support has been already merged into our main branch. Strimzi 0.31.1 with support for the new Kafka version will be released soon (expect the RC1 today or tomorrow).

For more details about the CVE, please see https://lists.apache.org/thread/cyj4wfwbyqdqssb2nwwwhxpy0nt5j320 and https://kafka.apache.org/cve-list.

We also started a GitHub discussion on this topic: https://github.com/orgs/strimzi/discussions/7349 … it might be a good place to keep all the discussion in one place.

Thanks & Regards
Strimzi team