[jira] [Commented] (KAFKA-16645) CVEs in 3.7.0 docker image

Tue, 30 Apr 2024 08:07:10 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-16645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842419#comment-17842419
 ] 

Matthias J. Sax commented on KAFKA-16645:
-----------------------------------------

I believe fixing these CVEs should be a blocker for 3.7.1 and 3.8.0? Thoughts?

> CVEs in 3.7.0 docker image
> --------------------------
>
>                 Key: KAFKA-16645
>                 URL: https://issues.apache.org/jira/browse/KAFKA-16645
>             Project: Kafka
>          Issue Type: Task
>    Affects Versions: 3.7.0
>            Reporter: Mickael Maison
>            Priority: Blocker
>             Fix For: 3.8.0, 3.7.1
>
>
> Our [Docker Image CVE 
> Scanner|https://github.com/apache/kafka/actions/runs/8888874393] GitHub 
> action reports 2 high CVEs in our base image:
> apache/kafka:3.7.0 (alpine 3.19.1)
> ==================================
> Total: 2 (HIGH: 2, CRITICAL: 0)
> ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
> │ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed 
> Version │                            Title                            │
> ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
> │ libexpat │ CVE-2023-52425 │ HIGH     │ fixed  │ 2.5.0-r2          │ 
> 2.6.0-r0      │ expat: parsing large tokens can trigger a denial of service │
> │          │                │          │        │                   │         
>       │ https://avd.aquasec.com/nvd/cve-2023-52425                  │
> │          ├────────────────┤          │        │                   
> ├───────────────┼─────────────────────────────────────────────────────────────┤
> │          │ CVE-2024-28757 │          │        │                   │ 
> 2.6.2-r0      │ expat: XML Entity Expansion                                 │
> │          │                │          │        │                   │         
>       │ https://avd.aquasec.com/nvd/cve-2024-28757                  │
> └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
> Looking at the 
> [KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?]
>  that introduced the docker images, it seems we should release a bugfix when 
> high CVEs are detected. It would be good to investigate and assess whether 
> Kafka is impacted or not.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to