You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2022/09/13 12:40:54 UTC

[GitHub] [kafka] divijvaidya commented on pull request #12620: KAFKA-14206: upgrade zookeeper version to 3.7.1

divijvaidya commented on PR #12620:
URL: https://github.com/apache/kafka/pull/12620#issuecomment-1245356187

   I did some analysis on what has changed and here is my summary:
   
   ZK 3.7.1 [contains CVE fixes](https://zookeeper.apache.org/doc/r3.7.1/releasenotes.html) for:
   1. Jackson-databind: https://nvd.nist.gov/vuln/detail/CVE-2020-36518
   2. Log4j 1.x: CVE-2022-23302/5/7: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 
   3. Jetty: https://nvd.nist.gov/vuln/detail/cve-2021-28165
   4. Reload4j: CVE-2020-9493, CVE-2022-23307
   
   In 3.3.0-RC1 for Kafka:
   1. We are [picking up 4.1.78 for Netty](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L108) for two sub-modules of Netty, `netty-transport-native-epoll` and `netty-handler`.  The reported CVEs in Netty's other sub modules are either related to compression algorithms or in HTTP2 which ZooKeeper (or Kafka) doesn't use AFAIK. Hence, we should be ok.
   2. We are picking up [Jetty Server 9.4.48](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L73) which fixes the vulnerabilities fixed by new Zookeeper version.
   3. We are picking up [Jackson 2.13.3](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L70) which fixes the vulnerabilities fixed by new Zookeeper version.
   4. We are [picking up Reload4j 1.2.19](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L111) which fixes the vulnerabilities fixed by new Zookeeper version.  
   
   Since the CVEs are fixed in the versions we are directly picking the class path for Kafka, I don't think it is urgent to upgrade the zookeeper version. We can scope it for 3.4.0.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org