Valeriy Kassenbayev created KAFKA-14206:
-------------------------------------------
Summary: Upgrade zookeeper to 3.7.1 to address security
vulnerabilities
Key: KAFKA-14206
URL: https://issues.apache.org/jira/browse/KAFKA-14206
Project: Kafka
Issue Type: Improvement
Components: packaging
Affects Versions: 3.2.1
Reporter: Valeriy Kassenbayev
Kafka 3.2.1 is using ZooKeeper, which is affected by
[CVE-2021-37136|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] and
[CVE-2021-37137:|https://www.cve.org/CVERecord?id=CVE-2021-37137]
{code:java}
✗ Denial of Service (DoS) [High
Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in
io.netty:netty-codec@4.1.63.Final
introduced by org.apache.kafka:kafka_2.13@3.2.1 >
org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final >
io.netty:netty-codec@4.1.63.Final
This issue was fixed in versions: 4.1.68.Final
✗ Denial of Service (DoS) [High
Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in
io.netty:netty-codec@4.1.63.Final
introduced by org.apache.kafka:kafka_2.13@3.2.1 >
org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final >
io.netty:netty-codec@4.1.63.Final
This issue was fixed in versions: 4.1.68.Final {code}
The issues were fixed in the next versions of ZooKeeper (starting from 3.6.4).
ZooKeeper 3.7.1 is the next stable
[release|https://zookeeper.apache.org/releases.html] at the moment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
