How to handle Confluent CVEs?

IcyRoad · 30 September 2021 20:25

Hey folks,
Can you please share your suggestions and ideas about how to address Confluent Kafka CVEs on each version?
Do I need to take any action on them?

Thanks,
Liz.

gklijs · 1 October 2021 05:16

Do you mean NVD - CVE-2021-38153? You can upgrade to 2.8.1 or 3.0.0.
If you are using Spring, and specifically the related Kafka-test, you have to wait a bit for the next release. See Releases · spring-projects/spring-kafka · GitHub (main branch is already updated to 2.8.1).

IcyRoad · 5 October 2021 18:44

Sorry for the delayed response.
I am asking in general, usually when Confluent publish the CVE’s list for each version, we should wait until next release or upgrade to next release. But due to the constraints that we have, we cannot immediately proceed to next upgrade. So how to handle this situation.

Thx,
Liz.

rmoff · 5 October 2021 18:50

Are you already a Confluent customer? This is something that you could raise a support ticket to discuss directly.

IcyRoad · 5 October 2021 19:06

yes we do.
Let me check with them.

Thank you.

Topic		Replies	Views
Resolving CVE-2022-48566 and CVE-2023-40217 Kafka Connect	1	891	29 October 2023
CVE confluent-kafka-7.2.2 Kafka Streams	0	2536	12 October 2022
Critical security vulnerability code-named “Log4Shell” (tracked as CVE-2021-44228) Managed Connectors	3	3141	21 December 2021
Security vulnerability in confluent-7.3.0 ksqlDB	2	2920	10 December 2022
Upgrade from Kafka community version 5.5.0 to latest Architecture and Design	0	1646	26 May 2023

How to handle Confluent CVEs?

Related Topics