You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Sahil Sharma D <sa...@ericsson.com.INVALID> on 2023/06/14 07:01:35 UTC

RE: CVEs related to Kafka

Hi Luke,

Please find my queries inline:
https://issues.apache.org/jira/browse/KAFKA-14107 [Sahil: As mentioned in this ticket CVE-2022-2048 and CVE-2022-2047 were fixed in versions 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3. We are using Kafka version 3.3.1 and still we are getting these CVEs]
https://issues.apache.org/jira/browse/KAFKA-14256 [Sahil: There is no CVE mentioned in this ticket, can you please share which CVEs had been resolved in this ticket. 
						         [As per ticket this " KAFKA-14256" this is solved in 3.4.0 however it is not mentioned ion Release Note of v3.4.0 ]

Regards.
Sahil

-----Original Message-----
From: Luke Chen <sh...@gmail.com> 
Sent: 10 May 2023 10:50 AM
To: users@kafka.apache.org
Cc: Tauzell, Dave <Da...@surescripts.com>
Subject: Re: CVEs related to Kafka

Hi Sahil,

> in which version of Kafka these will be fixed

https://issues.apache.org/jira/browse/KAFKA-14320
https://issues.apache.org/jira/browse/KAFKA-14107
https://issues.apache.org/jira/browse/KAFKA-14256

Maybe you can try to search the JIRA first next time. :)

Thank you.
Luke

On Wed, May 10, 2023 at 12:33 PM Sahil Sharma D <sa...@ericsson.com.invalid> wrote:

> Hi team,
>
> By when we can expect reply reg this, any idea?
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Tauzell, Dave <Da...@surescripts.com>
> Sent: 09 May 2023 11:29 PM
> To: users@kafka.apache.org
> Subject: Re: CVEs related to Kafka
>
> Consider purchasing support from Confluent to get this sort of request 
> answered quickly.
>
>
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Date: Tuesday, May 9, 2023 at 12:40 PM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] RE: CVEs related to Kafka Gentle reminder-2 !
>
> -----Original Message-----
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Sent: 03 May 2023 04:34 PM
> To: users@kafka.apache.org
> Subject: RE: CVEs related to Kafka
>
> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 03 May 2023 08:57 AM
> To: 'users@kafka.apache.org' <us...@kafka.apache.org>
> Subject: RE: CVEs related to Kafka
> Importance: High
>
> Hi Team,
>
> We have found few more Vulnerabilities on Kafka, below are the list:
>
> CVE-2022-36944<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 36944__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9ywOkKoY$
> > Scala 2.13.x before 2.13.9 has a Java deserialization chain in its 
> > JAR
> file. On its own, it cannot be exploited. There is only a risk in 
> conjunction with Java object deserialization within an application. In 
> such situations, it allows attackers to erase contents of arbitrary 
> files, make network connections, or possibly run arbitrary code 
> (specifically,
> Function0 functions) via a gadget chain
>
> CVE-2023-26048<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-
> 26048__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9GQ1_xXo$
> > Jetty is a java based web server and servlet engine. In affected 
> > versions
> servlets with multipart support (e.g. annotated with 
> `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or 
> `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the 
> client sends a multipart request with a part that has a name but no 
> filename and very large content. This happens even with the default 
> settings of `fileSizeThreshold=0` which should stream the whole part 
> content to disk. An attacker client may send a large multipart request 
> and cause the server to throw `OutOfMemoryError`. However, the server 
> may be able to recover after the `OutOfMemoryError` and continue its 
> service -- although it may take some time. This issue has been patched 
> in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to 
> upgrade. Users unable to upgrade may set the multipart parameter 
> `maxRequestSize` which must be set to a non-negative value, so the 
> whole multipart content is limited (although still read into memory).
>
> CVE-2023-26049<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-
> 26049__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9K3-reco$
> > Jetty is a java based web server and servlet engine. Nonstandard 
> > cookie
> parsing in Jetty may allow an attacker to smuggle cookies within other 
> cookies, or otherwise perform unintended behavior by tampering with 
> the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts 
> with `"` (double quote), it will continue to read the cookie string 
> until it sees a closing quote -- even if a semicolon is encountered. 
> So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; 
> c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and 
> a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This 
> has security implications because if, say, JSESSIONID is an HttpOnly 
> cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, 
> an attacker can smuggle the JSESSIONID cookie into the 
> DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant 
> when an intermediary is enacting some policy based on cookies, so a 
> smuggled cookie can bypass that policy yet still be seen by the Jetty 
> server or its logging system. This issue has been addressed in 
> versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
>
> Kindly confirm about the mitigation plan and impact of these CVEs.
>
> Regards,
> Sahil
>
> From: Sahil Sharma D
> Sent: 02 May 2023 02:16 PM
> To: users@kafka.apache.org<ma...@kafka.apache.org>
> Subject: CVEs related to Kafka
> Importance: High
>
> Hi team,
>
> We have got below two vulnerabilities on Kafka 3PP.
>
> CVE-2022-42003<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 42003__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9CZqAV4I$
> > In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion 
> > can
> occur because of a lack of a check in primitive value deserializers to 
> avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS 
> feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
>
> CVE-2022-42004<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 42004__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9zv_JhHY$
> > In FasterXML jackson-databind before 2.13.4, resource exhaustion can
> occur because of a lack of a check in
> BeanDeserializer._deserializeFromArray to prevent use of deeply nested 
> arrays. An application is vulnerable only with certain customized 
> choices for deserialization.
>
> Is 3PP is using the impacted functionality and in which version of 
> Kafka these will be fixed?
>
> Regards,
> Sahil
>
> This e-mail and any files transmitted with it are confidential, may 
> contain sensitive information, and are intended solely for the use of 
> the individual or entity to whom they are addressed. If you have 
> received this e-mail in error, please notify the sender by reply 
> e-mail immediately and destroy all copies of the e-mail and any attachments.
>
>