[
https://issues.apache.org/jira/browse/KAFKA-16645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mickael Maison updated KAFKA-16645:
-----------------------------------
Description:
Our [Docker Image CVE
Scanner|https://github.com/apache/kafka/actions/runs/8888874393] GitHub action
reports 2 high CVEs in our base image:
apache/kafka:3.7.0 (alpine 3.19.1)
==================================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed
Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ 2.6.0-r0
│ expat: parsing large tokens can trigger a denial of service │
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2023-52425 │
│ ├────────────────┤ │ │
├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-28757 │ │ │ │ 2.6.2-r0
│ expat: XML Entity Expansion │
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2024-28757 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
Looking at the
[KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?]
that introduced the docker images, it seems we should release a bugfix when
high CVEs are detected. It would be good to investigate and assess whether
Kafka is impacted or not.
was:
Our Docker Image CVE Scanner GitHub action reports 2 high CVEs in our base
image:
apache/kafka:3.7.0 (alpine 3.19.1)
==================================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed
Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ 2.6.0-r0
│ expat: parsing large tokens can trigger a denial of service │
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2023-52425 │
│ ├────────────────┤ │ │
├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-28757 │ │ │ │ 2.6.2-r0
│ expat: XML Entity Expansion │
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2024-28757 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
Looking at the
[KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?]
that introduced the docker images, it seems we should release a bugfix when
high CVEs are detected. It would be good to investigate and assess whether
Kafka is impacted or not.
> CVEs in 3.7.0 docker image
> --------------------------
>
> Key: KAFKA-16645
> URL: https://issues.apache.org/jira/browse/KAFKA-16645
> Project: Kafka
> Issue Type: Task
> Affects Versions: 3.7.0
> Reporter: Mickael Maison
> Priority: Major
>
> Our [Docker Image CVE
> Scanner|https://github.com/apache/kafka/actions/runs/8888874393] GitHub
> action reports 2 high CVEs in our base image:
> apache/kafka:3.7.0 (alpine 3.19.1)
> ==================================
> Total: 2 (HIGH: 2, CRITICAL: 0)
> ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
> │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed
> Version │ Title │
> ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
> │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │
> 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │
> │ │ │ │ │ │
> │ https://avd.aquasec.com/nvd/cve-2023-52425 │
> │ ├────────────────┤ │ │
> ├───────────────┼─────────────────────────────────────────────────────────────┤
> │ │ CVE-2024-28757 │ │ │ │
> 2.6.2-r0 │ expat: XML Entity Expansion │
> │ │ │ │ │ │
> │ https://avd.aquasec.com/nvd/cve-2024-28757 │
> └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
> Looking at the
> [KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?]
> that introduced the docker images, it seems we should release a bugfix when
> high CVEs are detected. It would be good to investigate and assess whether
> Kafka is impacted or not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
