Hi Ashish, CVE-2021-36159: It's a libfetch lib vulnerability. It's not Kafka's dependency lib. I guess it's the docker's base OS image. CVE-2019-17571: a log4j vulnerability. KAFKA-9366 <https://issues.apache.org/jira/browse/KAFKA-9366> is working on it.
Thank you. Luke On Wed, Sep 1, 2021 at 9:26 PM Ashish Patil <ashish.pa...@gm.com> wrote: > Hi Team > > > > I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities. > > > > > > What is your suggestion on this? > > > > Thanks > > Ashish > > > > *From:* Jake Murphy Smith <jake.murphysm...@gm.com> > *Sent:* 01 September 2021 09:31 > *To:* Ashish Patil <ashish.pa...@gm.com> > *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in > kafka:2.13-2.6.0/2.7.0 docker image > > > > > > > > *From:* Luke Chen <show...@gmail.com> > *Sent:* 01 September 2021 04:11 > *To:* Kafka Users <us...@kafka.apache.org> > *Cc:* dev@kafka.apache.org; Jake Murphy Smith <jake.murphysm...@gm.com> > *Subject:* [EXTERNAL] Re: Security vulnerabilities in > kafka:2.13-2.6.0/2.7.0 docker image > > > > *ATTENTION:* This email originated from outside of GM. > > > > > Hi Ashish, > > I suggested that you upgrade to V2.8. > > I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in > V2.8. > > If you still found the CVEs existed in V2.8, please raise it. > > > > Thank you. > > Luke > > > > > > > > > > On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <ashish.pa...@gm.com> wrote: > > Hi Team > > I wanted to use the 2.6.0 docker image for Kafka but It has lots of > security vulnerabilities. > Please find the below list of security vulnerabilities > ** > CVE-2021-36159 > CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq> > CVE-2021-22926 > CVE-2021-22922 > CVE-2021-22924 > CVE-2021-22922 > CVE-2021-22924 > CVE-2021-31535 > CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q> > ** > > I did raise this issue here > https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like > the issue is within the Kafka binary. > > > > Do we have any plan to fix this in the coming version or any suggestions > around this? > > Thanks > > Ashish > >