vulnerabilities

[Elvis-ch1 <el...@yahoo.com.INVALID>]

Hello, i apologize if this is not the right email address to report 
vulnerabilities to, couldn't find an email address here ( 
https://github.com/apache/kafka/security ) to report vulnerabilities, 
which is not usually the case.

We happen to be using Kafka in our environment(source image= 
https://quay.io/repository/strimzi/kafka?tab=tags), we recently updated 
to latest-kafka-2.8.0 and our vulnerability scanners  found the 
following critical, high, and moderate vulnerabilities;

ps: i did email the strimzi/kafka team and they highlighted that the 
vulnerabilities mentioned below are from Apache Kafka, and strimzi only 
provides tooling for running Apache Kafka on Kubernetes.

CVE-2017-18640  vulnerability in org.yaml_snakeyaml 1.23      fixed in 
snakeyaml 1.26

CVE-2020-29582 vulnerability in kotlin-stdlib_kotlin-stdlib 1.3.50   
fixed in kotlin 1.4.21

CVE-2021-29425   vulnerability in commons-io_commons-io 1.26   fixed in 
apache-commons-io 2.7

CVE-2019-17571 vulnerability in log4j_log4j 1.2.17   fixed in log4j 2.8.2

CVE-2020-9488  vulnerability in log4j_log4j 1.2.17    fixed in log4j-2.13.2

CVE-2021-28168 vulnerability in jersey-2.31         fixed in jersey 
2.34, jersey 3.0.2

CVE-2021-26291 vulnerability in maven-3.6.3       fixed in maven 3.8.1

CVE-2021-28169 vulnerability in jetty-servlets-9.4.39.v20210325   fixed 
in jetty 9.4.41, jetty 10.0.3, jetty 11.0.3

Please let me know when/if this vulnerabilities will be fixed/patched in 
Apache Kafka

Thanks.

Re: vulnerabilities

[Shilin Wu <sh...@confluent.io.INVALID>]

I will try to report this as well.

Thanks for pointing it out!

[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>


On Fri, Jun 18, 2021 at 12:49 AM Elvis-ch1 <el...@yahoo.com.invalid>
wrote:

> Hello, i apologize if this is not the right email address to report
> vulnerabilities to, couldn't find an email address here (
> https://github.com/apache/kafka/security ) to report vulnerabilities,
> which is not usually the case.
>
> We happen to be using Kafka in our environment(source image=
> https://quay.io/repository/strimzi/kafka?tab=tags), we recently updated
> to latest-kafka-2.8.0 and our vulnerability scanners  found the
> following critical, high, and moderate vulnerabilities;
>
> ps: i did email the strimzi/kafka team and they highlighted that the
> vulnerabilities mentioned below are from Apache Kafka, and strimzi only
> provides tooling for running Apache Kafka on Kubernetes.
>
> CVE-2017-18640  vulnerability in org.yaml_snakeyaml 1.23      fixed in
> snakeyaml 1.26
>
> CVE-2020-29582 vulnerability in kotlin-stdlib_kotlin-stdlib 1.3.50
> fixed in kotlin 1.4.21
>
> CVE-2021-29425   vulnerability in commons-io_commons-io 1.26   fixed in
> apache-commons-io 2.7
>
> CVE-2019-17571 vulnerability in log4j_log4j 1.2.17   fixed in log4j 2.8.2
>
> CVE-2020-9488  vulnerability in log4j_log4j 1.2.17    fixed in log4j-2.13.2
>
> CVE-2021-28168 vulnerability in jersey-2.31         fixed in jersey
> 2.34, jersey 3.0.2
>
> CVE-2021-26291 vulnerability in maven-3.6.3       fixed in maven 3.8.1
>
> CVE-2021-28169 vulnerability in jetty-servlets-9.4.39.v20210325   fixed
> in jetty 9.4.41, jetty 10.0.3, jetty 11.0.3
>
> Please let me know when/if this vulnerabilities will be fixed/patched in
> Apache Kafka
>
> Thanks.
>
>
>