You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by kangbotao <ka...@huawei.com> on 2020/04/14 01:18:59 UTC

CVEs for the dependency software guava and rocksdbjni of Kafka

Hi Kafka experts:

   I figure out that the guava and rocksdbjni used by Kafka of the the latest version 2.4.1, relates with several CVEs.

   The CVE for guava 20 is CVE-2018-10237, and the CVEs for rocksdbjni compiled with bzip2 1.0.6 is CVE-2016-3189 and CVE-2019-12900.

   Is Kafka affected by these CVEs?
   Is there any plan to upgrade the version of guava and rocksdbjni?

Sincerely look forward to your reply.

BRs

Re: CVEs for the dependency software guava and rocksdbjni of Kafka

Posted by Ismael Juma <is...@juma.me.uk>.

I don't think Guava is a dependency in master or 2.5.0.

Ismael

On Tue, Apr 14, 2020 at 11:08 AM Guozhang Wang <wa...@gmail.com> wrote:

> Thanks for the reported issue.
>
> For guava I think we should just upgrade version to 24.1.1 or newer to
> resolve 10237.
>
> For rocksdbjni, I saw that at the moment even current master is still using
> bzip version 1.0.6 so 3189 and 12900 would be existed in newest rocksDB
> version. I'd suggest you post on rocksdb community and see if their
> community has a better understanding on how to resolve this?
>
>
> Guozhang
>
>
> On Mon, Apr 13, 2020 at 6:19 PM kangbotao <ka...@huawei.com> wrote:
>
> > Hi Kafka experts:
> >
> >    I figure out that the guava and rocksdbjni used by Kafka of the the
> > latest version 2.4.1, relates with several CVEs.
> >
> >    The CVE for guava 20 is CVE-2018-10237, and the CVEs for rocksdbjni
> > compiled with bzip2 1.0.6 is CVE-2016-3189 and CVE-2019-12900.
> >
> >    Is Kafka affected by these CVEs?
> >    Is there any plan to upgrade the version of guava and rocksdbjni?
> >
> > Sincerely look forward to your reply.
> >
> > BRs
> >
> >
>
> --
> -- Guozhang
>

Re: CVEs for the dependency software guava and rocksdbjni of Kafka

Posted by Guozhang Wang <wa...@gmail.com>.

Thanks for the reported issue.

For guava I think we should just upgrade version to 24.1.1 or newer to
resolve 10237.

For rocksdbjni, I saw that at the moment even current master is still using
bzip version 1.0.6 so 3189 and 12900 would be existed in newest rocksDB
version. I'd suggest you post on rocksdb community and see if their
community has a better understanding on how to resolve this?

Guozhang

On Mon, Apr 13, 2020 at 6:19 PM kangbotao <ka...@huawei.com> wrote:

> Hi Kafka experts:
>
>    I figure out that the guava and rocksdbjni used by Kafka of the the
> latest version 2.4.1, relates with several CVEs.
>
>    The CVE for guava 20 is CVE-2018-10237, and the CVEs for rocksdbjni
> compiled with bzip2 1.0.6 is CVE-2016-3189 and CVE-2019-12900.
>
>    Is Kafka affected by these CVEs?
>    Is there any plan to upgrade the version of guava and rocksdbjni?
>
> Sincerely look forward to your reply.
>
> BRs
>
>

-- 
-- Guozhang