CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Hi team,

We have got below two vulnerabilities on Kafka 3PP.

CVE-2022-42003<https://nvd.nist.gov/vuln/detail/CVE-2022-42003>
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CVE-2022-42004<https://nvd.nist.gov/vuln/detail/CVE-2022-42004>
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Is 3PP is using the impacted functionality and in which version of Kafka these will be fixed?

Regards,
Sahil

RE: CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Hi Luke,

Please find my queries inline:
https://issues.apache.org/jira/browse/KAFKA-14107 [Sahil: As mentioned in this ticket CVE-2022-2048 and CVE-2022-2047 were fixed in versions 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3. We are using Kafka version 3.3.1 and still we are getting these CVEs]
https://issues.apache.org/jira/browse/KAFKA-14256 [Sahil: There is no CVE mentioned in this ticket, can you please share which CVEs had been resolved in this ticket. 
						         [As per ticket this " KAFKA-14256" this is solved in 3.4.0 however it is not mentioned ion Release Note of v3.4.0 ]

Regards.
Sahil

-----Original Message-----
From: Luke Chen <sh...@gmail.com> 
Sent: 10 May 2023 10:50 AM
To: users@kafka.apache.org
Cc: Tauzell, Dave <Da...@surescripts.com>
Subject: Re: CVEs related to Kafka

Hi Sahil,

> in which version of Kafka these will be fixed

https://issues.apache.org/jira/browse/KAFKA-14320
https://issues.apache.org/jira/browse/KAFKA-14107
https://issues.apache.org/jira/browse/KAFKA-14256

Maybe you can try to search the JIRA first next time. :)

Thank you.
Luke

On Wed, May 10, 2023 at 12:33 PM Sahil Sharma D <sa...@ericsson.com.invalid> wrote:

> Hi team,
>
> By when we can expect reply reg this, any idea?
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Tauzell, Dave <Da...@surescripts.com>
> Sent: 09 May 2023 11:29 PM
> To: users@kafka.apache.org
> Subject: Re: CVEs related to Kafka
>
> Consider purchasing support from Confluent to get this sort of request 
> answered quickly.
>
>
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Date: Tuesday, May 9, 2023 at 12:40 PM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] RE: CVEs related to Kafka Gentle reminder-2 !
>
> -----Original Message-----
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Sent: 03 May 2023 04:34 PM
> To: users@kafka.apache.org
> Subject: RE: CVEs related to Kafka
>
> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 03 May 2023 08:57 AM
> To: 'users@kafka.apache.org' <us...@kafka.apache.org>
> Subject: RE: CVEs related to Kafka
> Importance: High
>
> Hi Team,
>
> We have found few more Vulnerabilities on Kafka, below are the list:
>
> CVE-2022-36944<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 36944__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9ywOkKoY$
> > Scala 2.13.x before 2.13.9 has a Java deserialization chain in its 
> > JAR
> file. On its own, it cannot be exploited. There is only a risk in 
> conjunction with Java object deserialization within an application. In 
> such situations, it allows attackers to erase contents of arbitrary 
> files, make network connections, or possibly run arbitrary code 
> (specifically,
> Function0 functions) via a gadget chain
>
> CVE-2023-26048<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-
> 26048__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9GQ1_xXo$
> > Jetty is a java based web server and servlet engine. In affected 
> > versions
> servlets with multipart support (e.g. annotated with 
> `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or 
> `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the 
> client sends a multipart request with a part that has a name but no 
> filename and very large content. This happens even with the default 
> settings of `fileSizeThreshold=0` which should stream the whole part 
> content to disk. An attacker client may send a large multipart request 
> and cause the server to throw `OutOfMemoryError`. However, the server 
> may be able to recover after the `OutOfMemoryError` and continue its 
> service -- although it may take some time. This issue has been patched 
> in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to 
> upgrade. Users unable to upgrade may set the multipart parameter 
> `maxRequestSize` which must be set to a non-negative value, so the 
> whole multipart content is limited (although still read into memory).
>
> CVE-2023-26049<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-
> 26049__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9K3-reco$
> > Jetty is a java based web server and servlet engine. Nonstandard 
> > cookie
> parsing in Jetty may allow an attacker to smuggle cookies within other 
> cookies, or otherwise perform unintended behavior by tampering with 
> the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts 
> with `"` (double quote), it will continue to read the cookie string 
> until it sees a closing quote -- even if a semicolon is encountered. 
> So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; 
> c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and 
> a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This 
> has security implications because if, say, JSESSIONID is an HttpOnly 
> cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, 
> an attacker can smuggle the JSESSIONID cookie into the 
> DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant 
> when an intermediary is enacting some policy based on cookies, so a 
> smuggled cookie can bypass that policy yet still be seen by the Jetty 
> server or its logging system. This issue has been addressed in 
> versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
>
> Kindly confirm about the mitigation plan and impact of these CVEs.
>
> Regards,
> Sahil
>
> From: Sahil Sharma D
> Sent: 02 May 2023 02:16 PM
> To: users@kafka.apache.org<ma...@kafka.apache.org>
> Subject: CVEs related to Kafka
> Importance: High
>
> Hi team,
>
> We have got below two vulnerabilities on Kafka 3PP.
>
> CVE-2022-42003<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 42003__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9CZqAV4I$
> > In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion 
> > can
> occur because of a lack of a check in primitive value deserializers to 
> avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS 
> feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
>
> CVE-2022-42004<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 42004__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9zv_JhHY$
> > In FasterXML jackson-databind before 2.13.4, resource exhaustion can
> occur because of a lack of a check in
> BeanDeserializer._deserializeFromArray to prevent use of deeply nested 
> arrays. An application is vulnerable only with certain customized 
> choices for deserialization.
>
> Is 3PP is using the impacted functionality and in which version of 
> Kafka these will be fixed?
>
> Regards,
> Sahil
>
> This e-mail and any files transmitted with it are confidential, may 
> contain sensitive information, and are intended solely for the use of 
> the individual or entity to whom they are addressed. If you have 
> received this e-mail in error, please notify the sender by reply 
> e-mail immediately and destroy all copies of the e-mail and any attachments.
>
>

RE: CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Hi Team,

We are using only kafka-client jar, binary and config files in our product however below CVEs are on scala, jakson-databind and Jetty jars, bundled in Apache Kafka.

CVE-2022-36944 ---> Scala
CVE-2022-42003 ---> FasterXML jackson-databind
CVE-2022-42004 ---> FasterXML jackson-databind
CVE-2023-26048 ---> jetty-server
CVE-2023-26049 ---> jetty-server

Can you please let us know if the impacted jars (scala, jakson-databind and Jetty) are internally used by kafka-client, binary or config files or since we are using only kafka-client jar hence not impacted due to these vulnerabilities.

Regards
Sahil

-----Original Message-----
From: Luke Chen <sh...@gmail.com> 
Sent: 10 May 2023 10:50 AM
To: users@kafka.apache.org
Cc: Tauzell, Dave <Da...@surescripts.com>
Subject: Re: CVEs related to Kafka

Hi Sahil,

> in which version of Kafka these will be fixed

https://issues.apache.org/jira/browse/KAFKA-14320
https://issues.apache.org/jira/browse/KAFKA-14107
https://issues.apache.org/jira/browse/KAFKA-14256

Maybe you can try to search the JIRA first next time. :)

Thank you.
Luke

On Wed, May 10, 2023 at 12:33 PM Sahil Sharma D <sa...@ericsson.com.invalid> wrote:

> Hi team,
>
> By when we can expect reply reg this, any idea?
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Tauzell, Dave <Da...@surescripts.com>
> Sent: 09 May 2023 11:29 PM
> To: users@kafka.apache.org
> Subject: Re: CVEs related to Kafka
>
> Consider purchasing support from Confluent to get this sort of request 
> answered quickly.
>
>
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Date: Tuesday, May 9, 2023 at 12:40 PM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] RE: CVEs related to Kafka Gentle reminder-2 !
>
> -----Original Message-----
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Sent: 03 May 2023 04:34 PM
> To: users@kafka.apache.org
> Subject: RE: CVEs related to Kafka
>
> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 03 May 2023 08:57 AM
> To: 'users@kafka.apache.org' <us...@kafka.apache.org>
> Subject: RE: CVEs related to Kafka
> Importance: High
>
> Hi Team,
>
> We have found few more Vulnerabilities on Kafka, below are the list:
>
> CVE-2022-36944<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 36944__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9ywOkKoY$
> > Scala 2.13.x before 2.13.9 has a Java deserialization chain in its 
> > JAR
> file. On its own, it cannot be exploited. There is only a risk in 
> conjunction with Java object deserialization within an application. In 
> such situations, it allows attackers to erase contents of arbitrary 
> files, make network connections, or possibly run arbitrary code 
> (specifically,
> Function0 functions) via a gadget chain
>
> CVE-2023-26048<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-
> 26048__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9GQ1_xXo$
> > Jetty is a java based web server and servlet engine. In affected 
> > versions
> servlets with multipart support (e.g. annotated with 
> `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or 
> `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the 
> client sends a multipart request with a part that has a name but no 
> filename and very large content. This happens even with the default 
> settings of `fileSizeThreshold=0` which should stream the whole part 
> content to disk. An attacker client may send a large multipart request 
> and cause the server to throw `OutOfMemoryError`. However, the server 
> may be able to recover after the `OutOfMemoryError` and continue its 
> service -- although it may take some time. This issue has been patched 
> in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to 
> upgrade. Users unable to upgrade may set the multipart parameter 
> `maxRequestSize` which must be set to a non-negative value, so the 
> whole multipart content is limited (although still read into memory).
>
> CVE-2023-26049<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-
> 26049__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9K3-reco$
> > Jetty is a java based web server and servlet engine. Nonstandard 
> > cookie
> parsing in Jetty may allow an attacker to smuggle cookies within other 
> cookies, or otherwise perform unintended behavior by tampering with 
> the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts 
> with `"` (double quote), it will continue to read the cookie string 
> until it sees a closing quote -- even if a semicolon is encountered. 
> So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; 
> c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and 
> a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This 
> has security implications because if, say, JSESSIONID is an HttpOnly 
> cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, 
> an attacker can smuggle the JSESSIONID cookie into the 
> DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant 
> when an intermediary is enacting some policy based on cookies, so a 
> smuggled cookie can bypass that policy yet still be seen by the Jetty 
> server or its logging system. This issue has been addressed in 
> versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
>
> Kindly confirm about the mitigation plan and impact of these CVEs.
>
> Regards,
> Sahil
>
> From: Sahil Sharma D
> Sent: 02 May 2023 02:16 PM
> To: users@kafka.apache.org<ma...@kafka.apache.org>
> Subject: CVEs related to Kafka
> Importance: High
>
> Hi team,
>
> We have got below two vulnerabilities on Kafka 3PP.
>
> CVE-2022-42003<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 42003__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9CZqAV4I$
> > In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion 
> > can
> occur because of a lack of a check in primitive value deserializers to 
> avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS 
> feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
>
> CVE-2022-42004<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-
> 42004__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSY
> bhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9zv_JhHY$
> > In FasterXML jackson-databind before 2.13.4, resource exhaustion can
> occur because of a lack of a check in
> BeanDeserializer._deserializeFromArray to prevent use of deeply nested 
> arrays. An application is vulnerable only with certain customized 
> choices for deserialization.
>
> Is 3PP is using the impacted functionality and in which version of 
> Kafka these will be fixed?
>
> Regards,
> Sahil
>
> This e-mail and any files transmitted with it are confidential, may 
> contain sensitive information, and are intended solely for the use of 
> the individual or entity to whom they are addressed. If you have 
> received this e-mail in error, please notify the sender by reply 
> e-mail immediately and destroy all copies of the e-mail and any attachments.
>
>

Re: CVEs related to Kafka

[Luke Chen <sh...@gmail.com>]

Hi Sahil,

> in which version of Kafka these will be fixed

https://issues.apache.org/jira/browse/KAFKA-14320
https://issues.apache.org/jira/browse/KAFKA-14107
https://issues.apache.org/jira/browse/KAFKA-14256

Maybe you can try to search the JIRA first next time. :)

Thank you.
Luke

On Wed, May 10, 2023 at 12:33 PM Sahil Sharma D
<sa...@ericsson.com.invalid> wrote:

> Hi team,
>
> By when we can expect reply reg this, any idea?
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Tauzell, Dave <Da...@surescripts.com>
> Sent: 09 May 2023 11:29 PM
> To: users@kafka.apache.org
> Subject: Re: CVEs related to Kafka
>
> Consider purchasing support from Confluent to get this sort of request
> answered quickly.
>
>
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Date: Tuesday, May 9, 2023 at 12:40 PM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] RE: CVEs related to Kafka Gentle reminder-2 !
>
> -----Original Message-----
> From: Sahil Sharma D <sa...@ericsson.com.INVALID>
> Sent: 03 May 2023 04:34 PM
> To: users@kafka.apache.org
> Subject: RE: CVEs related to Kafka
>
> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 03 May 2023 08:57 AM
> To: 'users@kafka.apache.org' <us...@kafka.apache.org>
> Subject: RE: CVEs related to Kafka
> Importance: High
>
> Hi Team,
>
> We have found few more Vulnerabilities on Kafka, below are the list:
>
> CVE-2022-36944<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-36944__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9ywOkKoY$
> > Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR
> file. On its own, it cannot be exploited. There is only a risk in
> conjunction with Java object deserialization within an application. In such
> situations, it allows attackers to erase contents of arbitrary files, make
> network connections, or possibly run arbitrary code (specifically,
> Function0 functions) via a gadget chain
>
> CVE-2023-26048<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-26048__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9GQ1_xXo$
> > Jetty is a java based web server and servlet engine. In affected versions
> servlets with multipart support (e.g. annotated with `@MultipartConfig`)
> that call `HttpServletRequest.getParameter()` or
> `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
> client sends a multipart request with a part that has a name but no
> filename and very large content. This happens even with the default
> settings of `fileSizeThreshold=0` which should stream the whole part
> content to disk. An attacker client may send a large multipart request and
> cause the server to throw `OutOfMemoryError`. However, the server may be
> able to recover after the `OutOfMemoryError` and continue its service --
> although it may take some time. This issue has been patched in versions
> 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to
> upgrade may set the multipart parameter `maxRequestSize` which must be set
> to a non-negative value, so the whole multipart content is limited
> (although still read into memory).
>
> CVE-2023-26049<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-26049__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9K3-reco$
> > Jetty is a java based web server and servlet engine. Nonstandard cookie
> parsing in Jetty may allow an attacker to smuggle cookies within other
> cookies, or otherwise perform unintended behavior by tampering with the
> cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"`
> (double quote), it will continue to read the cookie string until it sees a
> closing quote -- even if a semicolon is encountered. So, a cookie header
> such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one
> cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337;
> c=d instead of 3 separate cookies. This has security implications because
> if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie
> value is rendered on the page, an attacker can smuggle the JSESSIONID
> cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is
> significant when an intermediary is enacting some policy based on cookies,
> so a smuggled cookie can bypass that policy yet still be seen by the Jetty
> server or its logging system. This issue has been addressed in versions
> 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to
> upgrade. There are no known workarounds for this issue.
>
> Kindly confirm about the mitigation plan and impact of these CVEs.
>
> Regards,
> Sahil
>
> From: Sahil Sharma D
> Sent: 02 May 2023 02:16 PM
> To: users@kafka.apache.org<ma...@kafka.apache.org>
> Subject: CVEs related to Kafka
> Importance: High
>
> Hi team,
>
> We have got below two vulnerabilities on Kafka 3PP.
>
> CVE-2022-42003<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-42003__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9CZqAV4I$
> > In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can
> occur because of a lack of a check in primitive value deserializers to
> avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS
> feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
>
> CVE-2022-42004<
> https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-42004__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9zv_JhHY$
> > In FasterXML jackson-databind before 2.13.4, resource exhaustion can
> occur because of a lack of a check in
> BeanDeserializer._deserializeFromArray to prevent use of deeply nested
> arrays. An application is vulnerable only with certain customized choices
> for deserialization.
>
> Is 3PP is using the impacted functionality and in which version of Kafka
> these will be fixed?
>
> Regards,
> Sahil
>
> This e-mail and any files transmitted with it are confidential, may
> contain sensitive information, and are intended solely for the use of the
> individual or entity to whom they are addressed. If you have received this
> e-mail in error, please notify the sender by reply e-mail immediately and
> destroy all copies of the e-mail and any attachments.
>
>

RE: CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Hi team,

By when we can expect reply reg this, any idea?

Regards,
Sahil

-----Original Message-----
From: Tauzell, Dave <Da...@surescripts.com> 
Sent: 09 May 2023 11:29 PM
To: users@kafka.apache.org
Subject: Re: CVEs related to Kafka

Consider purchasing support from Confluent to get this sort of request answered quickly.


From: Sahil Sharma D <sa...@ericsson.com.INVALID>
Date: Tuesday, May 9, 2023 at 12:40 PM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: [EXTERNAL] RE: CVEs related to Kafka Gentle reminder-2 !

-----Original Message-----
From: Sahil Sharma D <sa...@ericsson.com.INVALID>
Sent: 03 May 2023 04:34 PM
To: users@kafka.apache.org
Subject: RE: CVEs related to Kafka

Gentle reminder!

From: Sahil Sharma D
Sent: 03 May 2023 08:57 AM
To: 'users@kafka.apache.org' <us...@kafka.apache.org>
Subject: RE: CVEs related to Kafka
Importance: High

Hi Team,

We have found few more Vulnerabilities on Kafka, below are the list:

CVE-2022-36944<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-36944__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9ywOkKoY$ > Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain

CVE-2023-26048<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-26048__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9GQ1_xXo$ > Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

CVE-2023-26049<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-26049__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9K3-reco$ > Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Kindly confirm about the mitigation plan and impact of these CVEs.

Regards,
Sahil

From: Sahil Sharma D
Sent: 02 May 2023 02:16 PM
To: users@kafka.apache.org<ma...@kafka.apache.org>
Subject: CVEs related to Kafka
Importance: High

Hi team,

We have got below two vulnerabilities on Kafka 3PP.

CVE-2022-42003<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-42003__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9CZqAV4I$ > In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CVE-2022-42004<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-42004__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9zv_JhHY$ > In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Is 3PP is using the impacted functionality and in which version of Kafka these will be fixed?

Regards,
Sahil

This e-mail and any files transmitted with it are confidential, may contain sensitive information, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender by reply e-mail immediately and destroy all copies of the e-mail and any attachments.

Re: CVEs related to Kafka

["Tauzell, Dave" <Da...@surescripts.com>]

Consider purchasing support from Confluent to get this sort of request answered quickly.


From: Sahil Sharma D <sa...@ericsson.com.INVALID>
Date: Tuesday, May 9, 2023 at 12:40 PM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: [EXTERNAL] RE: CVEs related to Kafka
Gentle reminder-2 !

-----Original Message-----
From: Sahil Sharma D <sa...@ericsson.com.INVALID>
Sent: 03 May 2023 04:34 PM
To: users@kafka.apache.org
Subject: RE: CVEs related to Kafka

Gentle reminder!

From: Sahil Sharma D
Sent: 03 May 2023 08:57 AM
To: 'users@kafka.apache.org' <us...@kafka.apache.org>
Subject: RE: CVEs related to Kafka
Importance: High

Hi Team,

We have found few more Vulnerabilities on Kafka, below are the list:

CVE-2022-36944<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-36944__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9ywOkKoY$ >
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain

CVE-2023-26048<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-26048__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9GQ1_xXo$ >
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

CVE-2023-26049<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-26049__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9K3-reco$ >
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Kindly confirm about the mitigation plan and impact of these CVEs.

Regards,
Sahil

From: Sahil Sharma D
Sent: 02 May 2023 02:16 PM
To: users@kafka.apache.org<ma...@kafka.apache.org>
Subject: CVEs related to Kafka
Importance: High

Hi team,

We have got below two vulnerabilities on Kafka 3PP.

CVE-2022-42003<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-42003__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9CZqAV4I$ >
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CVE-2022-42004<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-42004__;!!K_cMf-SQz-o!dVr1QtyQ4T63P401cAOMN0HLlWf5PlvvulL4LX7JGrbK8mSYbhhN6Snv5XQ7NzMg6wcdPjVpi6k_LPbS9gMBugc0ucxXd2_9zv_JhHY$ >
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Is 3PP is using the impacted functionality and in which version of Kafka these will be fixed?

Regards,
Sahil

This e-mail and any files transmitted with it are confidential, may contain sensitive information, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender by reply e-mail immediately and destroy all copies of the e-mail and any attachments.

RE: CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Gentle reminder-2 !

-----Original Message-----
From: Sahil Sharma D <sa...@ericsson.com.INVALID> 
Sent: 03 May 2023 04:34 PM
To: users@kafka.apache.org
Subject: RE: CVEs related to Kafka

Gentle reminder!

From: Sahil Sharma D
Sent: 03 May 2023 08:57 AM
To: 'users@kafka.apache.org' <us...@kafka.apache.org>
Subject: RE: CVEs related to Kafka
Importance: High

Hi Team,

We have found few more Vulnerabilities on Kafka, below are the list:

CVE-2022-36944<https://nvd.nist.gov/vuln/detail/CVE-2022-36944>
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain

CVE-2023-26048<https://nvd.nist.gov/vuln/detail/CVE-2023-26048>
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

CVE-2023-26049<https://nvd.nist.gov/vuln/detail/CVE-2023-26049>
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Kindly confirm about the mitigation plan and impact of these CVEs.

Regards,
Sahil

From: Sahil Sharma D
Sent: 02 May 2023 02:16 PM
To: users@kafka.apache.org<ma...@kafka.apache.org>
Subject: CVEs related to Kafka
Importance: High

Hi team,

We have got below two vulnerabilities on Kafka 3PP.

CVE-2022-42003<https://nvd.nist.gov/vuln/detail/CVE-2022-42003>
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CVE-2022-42004<https://nvd.nist.gov/vuln/detail/CVE-2022-42004>
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Is 3PP is using the impacted functionality and in which version of Kafka these will be fixed?

Regards,
Sahil

RE: CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Gentle reminder!

From: Sahil Sharma D
Sent: 03 May 2023 08:57 AM
To: 'users@kafka.apache.org' <us...@kafka.apache.org>
Subject: RE: CVEs related to Kafka
Importance: High

Hi Team,

We have found few more Vulnerabilities on Kafka, below are the list:

CVE-2022-36944<https://nvd.nist.gov/vuln/detail/CVE-2022-36944>
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain

CVE-2023-26048<https://nvd.nist.gov/vuln/detail/CVE-2023-26048>
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

CVE-2023-26049<https://nvd.nist.gov/vuln/detail/CVE-2023-26049>
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Kindly confirm about the mitigation plan and impact of these CVEs.

Regards,
Sahil

From: Sahil Sharma D
Sent: 02 May 2023 02:16 PM
To: users@kafka.apache.org<ma...@kafka.apache.org>
Subject: CVEs related to Kafka
Importance: High

Hi team,

We have got below two vulnerabilities on Kafka 3PP.

CVE-2022-42003<https://nvd.nist.gov/vuln/detail/CVE-2022-42003>
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CVE-2022-42004<https://nvd.nist.gov/vuln/detail/CVE-2022-42004>
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Is 3PP is using the impacted functionality and in which version of Kafka these will be fixed?

Regards,
Sahil

RE: CVEs related to Kafka

[Sahil Sharma D <sa...@ericsson.com.INVALID>]

Hi Team,

We have found few more Vulnerabilities on Kafka, below are the list:

CVE-2022-36944<https://nvd.nist.gov/vuln/detail/CVE-2022-36944>
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain

CVE-2023-26048<https://nvd.nist.gov/vuln/detail/CVE-2023-26048>
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

CVE-2023-26049<https://nvd.nist.gov/vuln/detail/CVE-2023-26049>
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Kindly confirm about the mitigation plan and impact of these CVEs.

Regards,
Sahil

From: Sahil Sharma D
Sent: 02 May 2023 02:16 PM
To: users@kafka.apache.org
Subject: CVEs related to Kafka
Importance: High

Hi team,

We have got below two vulnerabilities on Kafka 3PP.

CVE-2022-42003<https://nvd.nist.gov/vuln/detail/CVE-2022-42003>
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CVE-2022-42004<https://nvd.nist.gov/vuln/detail/CVE-2022-42004>
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Is 3PP is using the impacted functionality and in which version of Kafka these will be fixed?

Regards,
Sahil