[
https://issues.apache.org/jira/browse/KAFKA-15000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17729848#comment-17729848
]
Scott Rowley commented on KAFKA-15000:
--------------------------------------
[~showuon] Thank you for your time on this. The vulnerability description is:
_com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are
vulnerable to Denial of Service (DoS). The package does not properly restrict
the size or amount of resources that are requested or influenced by an actor,
which can be used to consume more resources than intended and leads to
Uncontrolled Resource Consumption (\'Resource Exhaustion\')._
Severity: High, CVSS 7.5
For some background for others, my understanding is the "PRISMA" identifier
comes from a proprietary vulnerability database from Twistlock, now owned by
Palo Alto's PRISMA scanner. In my observations, they tend to flag items where
a "security related" merge has been made in a github project as a mechanism for
their customers to trigger version upgrades. This makes it hard for downstream
projects such as Kafka to keep up, as there often isn't a public reference to
assess risk or otherwise action. As an example, there's no linked Jackson
github request I see, so it is not clear whether this may have also been
addressed on the latest minor version of jackson 2.14.3 which is after 2.15.0
was released.
I've been lurking for a while, but i'm not sure i've come across any dependency
upgrade strategy or policy for Kafka (e.g. when to do minor version updates,
when to do major). From looking at the Jackson github and wiki, which some of
the lifecycle information seems out of date, the 2.15 and 2.14 versions are
actively in release mode. 2.13 may still be open for selective fixes but
appears to be next on the list to end of life. So independent of any
vulnerability, getting Kafka off 2.13 is likely a good medium-term activity.
The PR [https://github.com/apache/kafka/pull/13662] seems to be making progress
on this, though with some technical hurdles still to overcome.
> High vulnerability PRISMA-2023-0067 reported in jackson-core
> ------------------------------------------------------------
>
> Key: KAFKA-15000
> URL: https://issues.apache.org/jira/browse/KAFKA-15000
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.4.0, 3.3.2
> Reporter: Arushi Rai
> Priority: Critical
>
> Kafka is using jackson-core version 2.13.4 which has high vulnerability
> reported [PRISMA-2023-0067.
> |https://github.com/FasterXML/jackson-core/pull/827]
> This vulnerability is fix in Jackson-core 2.15.0 and Kafka should upgrade to
> the same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
