[jira] [Updated] (KAFKA-15128) snappy-java-1.1.8.4.jar library vulnerability

Tue, 27 Jun 2023 02:19:03 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-15128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

priyatama updated KAFKA-15128:
------------------------------
    Description: 
Hi Team,

we found new vulnerability introduced in snappy-java-1.1.8.4 library, so we 
need to get rid of it.

!Screenshot 2023-06-27 at 12.30.51 PM.png|width=321,height=230!

during analysis, we found snappy-java coming via kafka-clients.

As our application is not directly using snappy-java jar.

Can any one please explain what is use of snappy-java in kafka-client or can we 
exclude that?

Latest kafka-client also having vulnerable snappy-jar, by when kafka-client 
will release next version which is having non-vulnerable snappy-java jar in it?

cc: [Mickael 
Maison|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=mimaison]

  was:
Hi Team,

we found new vulnerability introduced in snappy-java-1.1.8.4 library, so we 
need to get rid of it.

!Screenshot 2023-06-27 at 12.30.51 PM.png|width=321,height=230!

during analysis, we found snappy-java coming via kafka-clients.

As our application is not directly using snappy-java jar.

Can any one please explain what is use of snappy-java in kafka-client or can we 
exclude that?

Latest kafka-client also having vulnerable snappy-jar, by when kafka-client 
will release next version which is having non-vulnerable snappy-java jar in it?


> snappy-java-1.1.8.4.jar library vulnerability
> ---------------------------------------------
>
>                 Key: KAFKA-15128
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15128
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 3.4.0
>            Reporter: priyatama
>            Priority: Major
>         Attachments: Screenshot 2023-06-27 at 12.30.51 PM.png
>
>
> Hi Team,
> we found new vulnerability introduced in snappy-java-1.1.8.4 library, so we 
> need to get rid of it.
> !Screenshot 2023-06-27 at 12.30.51 PM.png|width=321,height=230!
> during analysis, we found snappy-java coming via kafka-clients.
> As our application is not directly using snappy-java jar.
> Can any one please explain what is use of snappy-java in kafka-client or can 
> we exclude that?
> Latest kafka-client also having vulnerable snappy-jar, by when kafka-client 
> will release next version which is having non-vulnerable snappy-java jar in 
> it?
> cc: [Mickael 
> Maison|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=mimaison]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to