You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Valeriy Kassenbayev (Jira)" <ji...@apache.org> on 2023/02/27 09:37:00 UTC

[jira] [Reopened] (KAFKA-14206) Upgrade zookeeper to 3.7.1 to address security vulnerabilities

     [ https://issues.apache.org/jira/browse/KAFKA-14206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Valeriy Kassenbayev reopened KAFKA-14206:
-----------------------------------------

Still have the same CVEs reported:
{code:java}
  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.4.0 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final
  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.4.0 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final {code}
ZooKeeper does not seem to have been upgraded:
{code:java}
[mac /tmp]# tar tzf kafka_2.13-3.4.0.tgz | grep -i libs/zookeeper
kafka_2.13-3.4.0/libs/zookeeper-3.6.3.jar
kafka_2.13-3.4.0/libs/zookeeper-jute-3.6.3.jar
[mac /tmp]# {code}

> Upgrade zookeeper to 3.7.1 to address security vulnerabilities
> --------------------------------------------------------------
>
>                 Key: KAFKA-14206
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14206
>             Project: Kafka
>          Issue Type: Improvement
>          Components: packaging
>    Affects Versions: 3.2.1
>            Reporter: Valeriy Kassenbayev
>            Assignee: Luke Chen
>            Priority: Blocker
>             Fix For: 3.4.0
>
>
> Kafka 3.2.1 is using ZooKeeper, which is affected by [CVE-2021-37136|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] and [CVE-2021-37137:|https://www.cve.org/CVERecord?id=CVE-2021-37137]
> {code:java}
>   ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final
>   ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final {code}
> The issues were fixed in the next versions of ZooKeeper (starting from 3.6.4). ZooKeeper 3.7.1 is the next stable [release|https://zookeeper.apache.org/releases.html] at the moment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)