divijvaidya opened a new pull request, #531:
URL: https://github.com/apache/kafka-site/pull/531

   ## Change
   Add details about CVE-2023-34455 to cve-list section of the website as an 
action item from discussion in the mailing list secur...@kafka.apache.org.
   
   ## FAQs
   
   1. What versions of Kafka are impacted?
   A. All versions that support Snappy are impacted starting from [Apache Kafka 
0.8.0](https://issues.apache.org/jira/browse/KAFKA-187) starting with 
[snappy-java version 
1.0.4.1](https://github.com/apache/kafka/blob/15bb3961d9171c1c54c4c840a554ce2c76168163/project/build/KafkaProject.scala#L249).
 Note that Apache Kafka (AK) has been using the same Snappy-Java API 
(SnappyInputStream) [since the 
beginning](https://github.com/apache/kafka/blob/15bb3961d9171c1c54c4c840a554ce2c76168163/core/src/main/scala/kafka/message/CompressionFactory.scala#L45).
   
   2. What versions of Snappy-Java have this vulnerability?
   A. [All versions prior to 
1.1.10.1](https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh)
   
   3. Which users are impacted?
   A. All workloads which use snappy based compression are impacted. Even if a 
user isn't currently using snappy compression, a malicious user can send a 
produce request containing a record with a malicious payload which is 
compressed using snappy.
   
   ## Testing
   
   Result of running the website locally after applying this PR is as follows:
   
   ![Screenshot 2023-07-04 at 16 55 
44](https://github.com/apache/kafka-site/assets/71267/47fc2057-298c-4028-be97-e82a5e4f849f)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to