Rohit Kumar created HADOOP-19168:
------------------------------------

             Summary: Upgrade Kafka Clients due to CVEs
                 Key: HADOOP-19168
                 URL: https://issues.apache.org/jira/browse/HADOOP-19168
             Project: Hadoop Common
          Issue Type: Task
            Reporter: Rohit Kumar


Upgrade Kafka Clients due to CVEs

CVE-2023-25194:- Affected versions of this package are vulnerable to 
Deserialization of Untrusted Data when there are gadgets in the 
{{{}classpath{}}}. The server will connect to the attacker's LDAP server and 
deserialize the LDAP response, which the attacker can use to execute java 
deserialization gadget chains on the Kafka connect server.
CVSS Score:- 8.8(High)
[https://nvd.nist.gov/vuln/detail/CVE-2023-25194] 

CVE-2021-38153

CVE-2018-17196

Insufficient Entropy

[https://security.snyk.io/package/maven/org.apache.kafka:kafka-clients] 

Upgrade Kafka-Clients to 3.4.0 or higher.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to