Security vulnerabilities in confluent-6.2.4.tar.gz

We use confluent (confluent-6.2.4.tar.gz) and we noticed that the software has several vulnerabilities

example opt/schema-registry/confluent-6.2.4/share/java/ksqldb/protobuf-java-3.17.0.jar

Do we know what is the plan (if any) to fix them ?

Hi @lvarallo . The known issues for Confluent Platform v 6.2.4 are at Confluent Platform 6.2.4 Release Notes | Confluent Documentation

What vulnerabilities have you noticed?

I hope this will render on the forum , I noticed 35 vulnerabilities

Did you notice them in your environment or did you see them on the documentation or other place?

I noticed them after installing and running a security scan (no mention in the release notes as far as I can see )

There are in the following components

|Component Name|Component Version|

|maven:io.netty:netty-all|4.1.63.Final|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:com.google.oauth-client:google-oauth-client|1.31.1|
|maven:io.github.classgraph:classgraph|4.8.59|
|maven:com.google.code.gson:gson|2.8.6|
|maven:io.github.classgraph:classgraph|4.8.21|
|maven:com.fasterxml.jackson.core:jackson-databind|2.10.5.1|
|maven:com.fasterxml.jackson.core:jackson-databind|2.10.5.1|
|maven:io.confluent:confluent-log4j|1.2.17-cp2.2|
|maven:com.squareup.okhttp3:okhttp|4.3.0|
|maven:org.glassfish:jakarta.el|3.0.3|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:io.vertx:vertx-web|3.9.12|
|maven:com.google.protobuf:protobuf-java|3.11.4|
|maven:io.netty:netty-handler|4.1.72.Final|
|maven:org.bouncycastle:bc-fips|1.0.2|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:com.google.guava:guava|30.1.1-jre|
|maven:com.google.protobuf:protobuf-java|3.17.0|
|maven:io.netty:netty-common|4.1.73.Final|
|aname:swagger-ui-dist|3.25.0|
|maven:io.netty:netty-all|4.1.63.Final|
|maven:commons-codec:commons-codec|1.13|
|maven:io.netty:netty-handler|4.1.73.Final|
|maven:io.netty:netty-common|4.1.72.Final|
|maven:org.bouncycastle:bcprov-jdk15on|1.68|
|aname:swagger-ui-dist|3.25.0|
|maven:com.google.guava:guava|30.0-jre|
|maven:org.bouncycastle:bc-fips|1.0.2.1|
|maven:com.madgag.spongycastle:core|1.54.0.0|
|maven:org.bouncycastle:bcprov-jdk15on|1.68|
|maven:org.apache.kafka:kafka-streams|2.8.1|
|maven:org.bouncycastle:bc-fips|1.0.2|
|maven:org.javassist:javassist|3.18.1-GA|

What’s the actual security vulnerability that you’ve detected?

here the CVE ID and security scores (CVSS)

CVE ID CVSS
CVE-2021-22573 8.7
sonatype-2021-0789 8.4
sonatype-2010-0053 7.8
CVE-2021-37136 7.5
sonatype-2021-1694 7.5
sonatype-2021-4682 7.5
CVE-2020-36518 7.5
CVE-2021-0341 7.5
sonatype-2020-1438 7.5
CVE-2021-37137 7.5
sonatype-2021-1074 7.3
sonatype-2021-1074 7.3
sonatype-2020-0026 6.5
sonatype-2020-0026 6.5
CVE-2021-43797 6.5
sonatype-2020-0026 6.5
sonatype-2020-0926 6.2
sonatype-2020-0926 6.2
sonatype-2021-4711 6.1
sonatype-2020-0532 6.1
CVE-2020-15522 5.9
CVE-2021-22569 5.5
CVE-2021-22569 5.5
CVE-2022-24823 5.5
CVE-2022-24823 5.5
sonatype-2020-0340 5.4
sonatype-2012-0050 5.3
sonatype-2021-4916 5.3
sonatype-2014-0257 4.8
sonatype-2019-0673 3.7
sonatype-2019-0673 3.7
sonatype-2019-0673 3.7
sonatype-2019-0422 3.7
sonatype-2019-0673 3.7