You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Scott Rowley (Jira)" <ji...@apache.org> on 2023/06/07 03:42:00 UTC
[jira] [Comment Edited] (KAFKA-15000) High vulnerability PRISMA-2023-0067 reported in jackson-core
[ https://issues.apache.org/jira/browse/KAFKA-15000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17729848#comment-17729848 ]
Scott Rowley edited comment on KAFKA-15000 at 6/7/23 3:41 AM:
--------------------------------------------------------------
[~showuon] Thank you for your time on this. The vulnerability description is:
_com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption (\'Resource Exhaustion\')._
Severity: High, CVSS 7.5
For some background for others, my understanding is the "PRISMA" identifier comes from a proprietary vulnerability database from Twistlock, now owned by Palo Alto's PRISMA scanner. In my observations, they tend to flag items where a "security related" merge has been made in a github project as a mechanism for their customers to trigger version upgrades. This makes it hard for downstream projects such as Kafka to keep up, as there often isn't a public reference to assess risk or otherwise action. As an example, -there's no linked Jackson github request- I see, so it is not clear whether this may have also been addressed on the latest minor version of jackson 2.14.3 which is after 2.15.0 was released. Edit: Linked PR is [https://github.com/FasterXML/jackson-core/pull/827]
I've been lurking for a while, but i'm not sure i've come across any dependency upgrade strategy or policy for Kafka (e.g. when to do minor version updates, when to do major). From looking at the Jackson github and wiki, which some of the lifecycle information seems out of date, the 2.15 and 2.14 versions are actively in release mode. 2.13 may still be open for selective fixes but appears to be next on the list to end of life. So independent of any vulnerability, getting Kafka off 2.13 is likely a good medium-term activity. The PR [https://github.com/apache/kafka/pull/13662] seems to be making progress on this, though with some technical hurdles still to overcome.
Edit: Added link to reported vulnerable PR by PRISMA. [https://github.com/FasterXML/jackson-core/pull/827/files] While it seems some may have gotten into 2.14 ([https://github.com/FasterXML/jackson-core/pull/1013)] it seems like not everything did.
was (Author: JIRAUSER300756):
[~showuon] Thank you for your time on this. The vulnerability description is:
_com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption (\'Resource Exhaustion\')._
Severity: High, CVSS 7.5
For some background for others, my understanding is the "PRISMA" identifier comes from a proprietary vulnerability database from Twistlock, now owned by Palo Alto's PRISMA scanner. In my observations, they tend to flag items where a "security related" merge has been made in a github project as a mechanism for their customers to trigger version upgrades. This makes it hard for downstream projects such as Kafka to keep up, as there often isn't a public reference to assess risk or otherwise action. As an example, there's no linked Jackson github request I see, so it is not clear whether this may have also been addressed on the latest minor version of jackson 2.14.3 which is after 2.15.0 was released.
I've been lurking for a while, but i'm not sure i've come across any dependency upgrade strategy or policy for Kafka (e.g. when to do minor version updates, when to do major). From looking at the Jackson github and wiki, which some of the lifecycle information seems out of date, the 2.15 and 2.14 versions are actively in release mode. 2.13 may still be open for selective fixes but appears to be next on the list to end of life. So independent of any vulnerability, getting Kafka off 2.13 is likely a good medium-term activity. The PR [https://github.com/apache/kafka/pull/13662] seems to be making progress on this, though with some technical hurdles still to overcome.
> High vulnerability PRISMA-2023-0067 reported in jackson-core
> ------------------------------------------------------------
>
> Key: KAFKA-15000
> URL: https://issues.apache.org/jira/browse/KAFKA-15000
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.4.0, 3.3.2
> Reporter: Arushi Rai
> Priority: Critical
>
> Kafka is using jackson-core version 2.13.4 which has high vulnerability reported [PRISMA-2023-0067. |https://github.com/FasterXML/jackson-core/pull/827]
> This vulnerability is fix in Jackson-core 2.15.0 and Kafka should upgrade to the same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)