You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Luke Chen <sh...@gmail.com> on 2021/09/01 03:10:50 UTC
Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
Hi Ashish,
I suggested that you upgrade to V2.8.
I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in
V2.8.
If you still found the CVEs existed in V2.8, please raise it.
Thank you.
Luke
On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com> wrote:
> Hi Team
>
> I wanted to use the 2.6.0 docker image for Kafka but It has lots of
> security vulnerabilities.
> Please find the below list of security vulnerabilities
> **
> CVE-2021-36159
> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
> CVE-2021-22926
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-31535
> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
> **
>
> I did raise this issue here
> https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like
> the issue is within the Kafka binary.
>
> Do we have any plan to fix this in the coming version or any suggestions
> around this?
>
> Thanks
>
> Ashish
>
Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0
docker image
Posted by Luke Chen <sh...@gmail.com>.
Hi Ashish,
CVE-2021-36159: It's a libfetch lib vulnerability. It's not Kafka's
dependency lib. I guess it's the docker's base OS image.
CVE-2019-17571: a log4j vulnerability. KAFKA-9366
<https://issues.apache.org/jira/browse/KAFKA-9366> is working on it.
Thank you.
Luke
On Wed, Sep 1, 2021 at 9:26 PM Ashish Patil <as...@gm.com> wrote:
> Hi Team
>
>
>
> I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
>
>
>
>
>
> What is your suggestion on this?
>
>
>
> Thanks
>
> Ashish
>
>
>
> *From:* Jake Murphy Smith <ja...@gm.com>
> *Sent:* 01 September 2021 09:31
> *To:* Ashish Patil <as...@gm.com>
> *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in
> kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
>
>
>
>
> *From:* Luke Chen <sh...@gmail.com>
> *Sent:* 01 September 2021 04:11
> *To:* Kafka Users <us...@kafka.apache.org>
> *Cc:* dev@kafka.apache.org; Jake Murphy Smith <ja...@gm.com>
> *Subject:* [EXTERNAL] Re: Security vulnerabilities in
> kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
> *ATTENTION:* This email originated from outside of GM.
>
>
>
>
> Hi Ashish,
>
> I suggested that you upgrade to V2.8.
>
> I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in
> V2.8.
>
> If you still found the CVEs existed in V2.8, please raise it.
>
>
>
> Thank you.
>
> Luke
>
>
>
>
>
>
>
>
>
> On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com> wrote:
>
> Hi Team
>
> I wanted to use the 2.6.0 docker image for Kafka but It has lots of
> security vulnerabilities.
> Please find the below list of security vulnerabilities
> **
> CVE-2021-36159
> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
> CVE-2021-22926
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-31535
> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
> **
>
> I did raise this issue here
> https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like
> the issue is within the Kafka binary.
>
>
>
> Do we have any plan to fix this in the coming version or any suggestions
> around this?
>
> Thanks
>
> Ashish
>
>
Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker
image
Posted by Colin McCabe <cm...@apache.org>.
It seems like your image does not show up on the mailing list.
best,
Colin
On Wed, Sep 1, 2021, at 06:26, Ashish Patil wrote:
> Hi Team
>
> I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
>
>
>
> What is your suggestion on this?
>
> Thanks
> Ashish
>
> *From:* Jake Murphy Smith <ja...@gm.com>
> *Sent:* 01 September 2021 09:31
> *To:* Ashish Patil <as...@gm.com>
> *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
> *From:* Luke Chen <sh...@gmail.com>
> *Sent:* 01 September 2021 04:11
> *To:* Kafka Users <us...@kafka.apache.org>
> *Cc:* dev@kafka.apache.org; Jake Murphy Smith <ja...@gm.com>
> *Subject:* [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
>
> *ATTENTION:* This email originated from outside of GM.
>
>
>
> Hi Ashish,
> I suggested that you upgrade to V2.8.
> I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in V2.8.
> If you still found the CVEs existed in V2.8, please raise it.
>
> Thank you.
> Luke
>
>
>
>
> On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com> wrote:
>> Hi Team
>>
>> I wanted to use the 2.6.0 docker image for Kafka but It has lots of security vulnerabilities.
>> Please find the below list of security vulnerabilities
>> **
>> CVE-2021-36159
>> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
>> CVE-2021-22926
>> CVE-2021-22922
>> CVE-2021-22924
>> CVE-2021-22922
>> CVE-2021-22924
>> CVE-2021-31535
>> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
>> **
>>
>> I did raise this issue here https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the issue is within the Kafka binary.
>>
>>
>>
>> Do we have any plan to fix this in the coming version or any suggestions around this?
>>
>> Thanks
>> Ashish
Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0
docker image
Posted by Luke Chen <sh...@gmail.com>.
Hi Ashish,
CVE-2021-36159: It's a libfetch lib vulnerability. It's not Kafka's
dependency lib. I guess it's the docker's base OS image.
CVE-2019-17571: a log4j vulnerability. KAFKA-9366
<https://issues.apache.org/jira/browse/KAFKA-9366> is working on it.
Thank you.
Luke
On Wed, Sep 1, 2021 at 9:26 PM Ashish Patil <as...@gm.com> wrote:
> Hi Team
>
>
>
> I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
>
>
>
>
>
> What is your suggestion on this?
>
>
>
> Thanks
>
> Ashish
>
>
>
> *From:* Jake Murphy Smith <ja...@gm.com>
> *Sent:* 01 September 2021 09:31
> *To:* Ashish Patil <as...@gm.com>
> *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in
> kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
>
>
>
>
> *From:* Luke Chen <sh...@gmail.com>
> *Sent:* 01 September 2021 04:11
> *To:* Kafka Users <us...@kafka.apache.org>
> *Cc:* dev@kafka.apache.org; Jake Murphy Smith <ja...@gm.com>
> *Subject:* [EXTERNAL] Re: Security vulnerabilities in
> kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
> *ATTENTION:* This email originated from outside of GM.
>
>
>
>
> Hi Ashish,
>
> I suggested that you upgrade to V2.8.
>
> I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in
> V2.8.
>
> If you still found the CVEs existed in V2.8, please raise it.
>
>
>
> Thank you.
>
> Luke
>
>
>
>
>
>
>
>
>
> On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com> wrote:
>
> Hi Team
>
> I wanted to use the 2.6.0 docker image for Kafka but It has lots of
> security vulnerabilities.
> Please find the below list of security vulnerabilities
> **
> CVE-2021-36159
> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
> CVE-2021-22926
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-31535
> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
> **
>
> I did raise this issue here
> https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like
> the issue is within the Kafka binary.
>
>
>
> Do we have any plan to fix this in the coming version or any suggestions
> around this?
>
> Thanks
>
> Ashish
>
>
RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0
docker image
Posted by Ashish Patil <as...@gm.com>.
Hi Team
I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
[cid:image003.jpg@01D79F3D.5BA06A20]
What is your suggestion on this?
Thanks
Ashish
From: Jake Murphy Smith <ja...@gm.com>
Sent: 01 September 2021 09:31
To: Ashish Patil <as...@gm.com>
Subject: RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
From: Luke Chen <sh...@gmail.com>>
Sent: 01 September 2021 04:11
To: Kafka Users <us...@kafka.apache.org>>
Cc: dev@kafka.apache.org<ma...@kafka.apache.org>; Jake Murphy Smith <ja...@gm.com>>
Subject: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
ATTENTION: This email originated from outside of GM.
Hi Ashish,
I suggested that you upgrade to V2.8.
I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in V2.8.
If you still found the CVEs existed in V2.8, please raise it.
Thank you.
Luke
On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com>> wrote:
Hi Team
I wanted to use the 2.6.0 docker image for Kafka but It has lots of security vulnerabilities.
Please find the below list of security vulnerabilities
**
CVE-2021-36159
CVE-2020-25649<https://github.com/advisories/GHSA-288c-cq4h-88gq>
CVE-2021-22926
CVE-2021-22922
CVE-2021-22924
CVE-2021-22922
CVE-2021-22924
CVE-2021-31535
CVE-2019-17571<https://github.com/advisories/GHSA-2qrg-x229-3v8q>
**
I did raise this issue here https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the issue is within the Kafka binary.
Do we have any plan to fix this in the coming version or any suggestions around this?
Thanks
Ashish
RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0
docker image
Posted by Ashish Patil <as...@gm.com>.
Hi Team
I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
[cid:image003.jpg@01D79F3D.5BA06A20]
What is your suggestion on this?
Thanks
Ashish
From: Jake Murphy Smith <ja...@gm.com>
Sent: 01 September 2021 09:31
To: Ashish Patil <as...@gm.com>
Subject: RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
From: Luke Chen <sh...@gmail.com>>
Sent: 01 September 2021 04:11
To: Kafka Users <us...@kafka.apache.org>>
Cc: dev@kafka.apache.org<ma...@kafka.apache.org>; Jake Murphy Smith <ja...@gm.com>>
Subject: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
ATTENTION: This email originated from outside of GM.
Hi Ashish,
I suggested that you upgrade to V2.8.
I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in V2.8.
If you still found the CVEs existed in V2.8, please raise it.
Thank you.
Luke
On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com>> wrote:
Hi Team
I wanted to use the 2.6.0 docker image for Kafka but It has lots of security vulnerabilities.
Please find the below list of security vulnerabilities
**
CVE-2021-36159
CVE-2020-25649<https://github.com/advisories/GHSA-288c-cq4h-88gq>
CVE-2021-22926
CVE-2021-22922
CVE-2021-22924
CVE-2021-22922
CVE-2021-22924
CVE-2021-31535
CVE-2019-17571<https://github.com/advisories/GHSA-2qrg-x229-3v8q>
**
I did raise this issue here https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the issue is within the Kafka binary.
Do we have any plan to fix this in the coming version or any suggestions around this?
Thanks
Ashish