We use confluent (confluent-6.2.4.tar.gz) and we noticed that the software has several vulnerabilities
example opt/schema-registry/confluent-6.2.4/share/java/ksqldb/protobuf-java-3.17.0.jar
Do we know what is the plan (if any) to fix them ?
Hi @lvarallo . The known issues for Confluent Platform v 6.2.4 are at Confluent Platform 6.2.4 Release Notes | Confluent Documentation
What vulnerabilities have you noticed?
I hope this will render on the forum , I noticed 35 vulnerabilities
Did you notice them in your environment or did you see them on the documentation or other place?
I noticed them after installing and running a security scan (no mention in the release notes as far as I can see )
There are in the following components
|Component Name|Component Version|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:com.google.oauth-client:google-oauth-client|1.31.1|
|maven:io.github.classgraph:classgraph|4.8.59|
|maven:com.google.code.gson:gson|2.8.6|
|maven:io.github.classgraph:classgraph|4.8.21|
|maven:com.fasterxml.jackson.core:jackson-databind|2.10.5.1|
|maven:com.fasterxml.jackson.core:jackson-databind|2.10.5.1|
|maven:io.confluent:confluent-log4j|1.2.17-cp2.2|
|maven:com.squareup.okhttp3:okhttp|4.3.0|
|maven:org.glassfish:jakarta.el|3.0.3|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:io.vertx:vertx-web|3.9.12|
|maven:com.google.protobuf:protobuf-java|3.11.4|
|maven:io.netty:netty-handler|4.1.72.Final|
|maven:org.bouncycastle:bc-fips|1.0.2|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:com.google.guava:guava|30.1.1-jre|
|maven:com.google.protobuf:protobuf-java|3.17.0|
|maven:io.netty:netty-common|4.1.73.Final|
|aname:swagger-ui-dist|3.25.0|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:commons-codec:commons-codec|1.13|
|maven:io.netty:netty-handler|4.1.73.Final|
|maven:io.netty:netty-common|4.1.72.Final|
|maven:org.bouncycastle:bcprov-jdk15on|1.68|
|aname:swagger-ui-dist|3.25.0|
|maven:com.google.guava:guava|30.0-jre|
|maven:org.bouncycastle:bc-fips|1.0.2.1|
|maven:com.madgag.spongycastle:core|1.54.0.0|
|maven:org.bouncycastle:bcprov-jdk15on|1.68|
|maven:org.apache.kafka:kafka-streams|2.8.1|
|maven:org.bouncycastle:bc-fips|1.0.2|
|maven:org.javassist:javassist|3.18.1-GA|
What’s the actual security vulnerability that you’ve detected?
here the CVE ID and security scores (CVSS)
| CVE ID | CVSS |
|---|---|
| CVE-2021-22573 | 8.7 |
| sonatype-2021-0789 | 8.4 |
| sonatype-2010-0053 | 7.8 |
| CVE-2021-37136 | 7.5 |
| sonatype-2021-1694 | 7.5 |
| sonatype-2021-4682 | 7.5 |
| CVE-2020-36518 | 7.5 |
| CVE-2021-0341 | 7.5 |
| sonatype-2020-1438 | 7.5 |
| CVE-2021-37137 | 7.5 |
| sonatype-2021-1074 | 7.3 |
| sonatype-2021-1074 | 7.3 |
| sonatype-2020-0026 | 6.5 |
| sonatype-2020-0026 | 6.5 |
| CVE-2021-43797 | 6.5 |
| sonatype-2020-0026 | 6.5 |
| sonatype-2020-0926 | 6.2 |
| sonatype-2020-0926 | 6.2 |
| sonatype-2021-4711 | 6.1 |
| sonatype-2020-0532 | 6.1 |
| CVE-2020-15522 | 5.9 |
| CVE-2021-22569 | 5.5 |
| CVE-2021-22569 | 5.5 |
| CVE-2022-24823 | 5.5 |
| CVE-2022-24823 | 5.5 |
| sonatype-2020-0340 | 5.4 |
| sonatype-2012-0050 | 5.3 |
| sonatype-2021-4916 | 5.3 |
| sonatype-2014-0257 | 4.8 |
| sonatype-2019-0673 | 3.7 |
| sonatype-2019-0673 | 3.7 |
| sonatype-2019-0673 | 3.7 |
| sonatype-2019-0422 | 3.7 |
| sonatype-2019-0673 | 3.7 |
This topic was automatically closed after 30 days. New replies are no longer allowed.