You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Elvis-ch1 <el...@yahoo.com.INVALID> on 2021/06/17 16:03:20 UTC
vulnerabilities
Hello, i apologize if this is not the right email address to report
vulnerabilities to, couldn't find an email address here (
https://github.com/apache/kafka/security ) to report vulnerabilities,
which is not usually the case.
We happen to be using Kafka in our environment(source image=
https://quay.io/repository/strimzi/kafka?tab=tags), we recently updated
to latest-kafka-2.8.0 and our vulnerability scanners found the
following critical, high, and moderate vulnerabilities;
ps: i did email the strimzi/kafka team and they highlighted that the
vulnerabilities mentioned below are from Apache Kafka, and strimzi only
provides tooling for running Apache Kafka on Kubernetes.
CVE-2017-18640 vulnerability in org.yaml_snakeyaml 1.23 fixed in
snakeyaml 1.26
CVE-2020-29582 vulnerability in kotlin-stdlib_kotlin-stdlib 1.3.50
fixed in kotlin 1.4.21
CVE-2021-29425 vulnerability in commons-io_commons-io 1.26 fixed in
apache-commons-io 2.7
CVE-2019-17571 vulnerability in log4j_log4j 1.2.17 fixed in log4j 2.8.2
CVE-2020-9488 vulnerability in log4j_log4j 1.2.17 fixed in log4j-2.13.2
CVE-2021-28168 vulnerability in jersey-2.31 fixed in jersey
2.34, jersey 3.0.2
CVE-2021-26291 vulnerability in maven-3.6.3 fixed in maven 3.8.1
CVE-2021-28169 vulnerability in jetty-servlets-9.4.39.v20210325 fixed
in jetty 9.4.41, jetty 10.0.3, jetty 11.0.3
Please let me know when/if this vulnerabilities will be fixed/patched in
Apache Kafka
Thanks.
Re: vulnerabilities
Posted by Shilin Wu <sh...@confluent.io.INVALID>.
I will try to report this as well.
Thanks for pointing it out!
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Fri, Jun 18, 2021 at 12:49 AM Elvis-ch1 <el...@yahoo.com.invalid>
wrote:
> Hello, i apologize if this is not the right email address to report
> vulnerabilities to, couldn't find an email address here (
> https://github.com/apache/kafka/security ) to report vulnerabilities,
> which is not usually the case.
>
> We happen to be using Kafka in our environment(source image=
> https://quay.io/repository/strimzi/kafka?tab=tags), we recently updated
> to latest-kafka-2.8.0 and our vulnerability scanners found the
> following critical, high, and moderate vulnerabilities;
>
> ps: i did email the strimzi/kafka team and they highlighted that the
> vulnerabilities mentioned below are from Apache Kafka, and strimzi only
> provides tooling for running Apache Kafka on Kubernetes.
>
> CVE-2017-18640 vulnerability in org.yaml_snakeyaml 1.23 fixed in
> snakeyaml 1.26
>
> CVE-2020-29582 vulnerability in kotlin-stdlib_kotlin-stdlib 1.3.50
> fixed in kotlin 1.4.21
>
> CVE-2021-29425 vulnerability in commons-io_commons-io 1.26 fixed in
> apache-commons-io 2.7
>
> CVE-2019-17571 vulnerability in log4j_log4j 1.2.17 fixed in log4j 2.8.2
>
> CVE-2020-9488 vulnerability in log4j_log4j 1.2.17 fixed in log4j-2.13.2
>
> CVE-2021-28168 vulnerability in jersey-2.31 fixed in jersey
> 2.34, jersey 3.0.2
>
> CVE-2021-26291 vulnerability in maven-3.6.3 fixed in maven 3.8.1
>
> CVE-2021-28169 vulnerability in jetty-servlets-9.4.39.v20210325 fixed
> in jetty 9.4.41, jetty 10.0.3, jetty 11.0.3
>
> Please let me know when/if this vulnerabilities will be fixed/patched in
> Apache Kafka
>
> Thanks.
>
>
>