[jira] [Resolved] (KAFKA-16645) CVEs in 3.7.0 docker image

Mon, 20 May 2024 08:00:22 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-16645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Igor Soarez resolved KAFKA-16645.
---------------------------------
      Assignee: Igor Soarez
    Resolution: Won't Fix

The vulnerability has already been addressed in the base image, under the same 
image tag, so the next published Kafka images will not contain ship the 
vulnerability.

We do not republish previous releases, so we're not taking any action here.

> CVEs in 3.7.0 docker image
> --------------------------
>
>                 Key: KAFKA-16645
>                 URL: https://issues.apache.org/jira/browse/KAFKA-16645
>             Project: Kafka
>          Issue Type: Task
>    Affects Versions: 3.7.0
>            Reporter: Mickael Maison
>            Assignee: Igor Soarez
>            Priority: Blocker
>             Fix For: 3.8.0, 3.7.1
>
>
> Our [Docker Image CVE 
> Scanner|https://github.com/apache/kafka/actions/runs/8888874393] GitHub 
> action reports 2 high CVEs in our base image:
> apache/kafka:3.7.0 (alpine 3.19.1)
> ==================================
> Total: 2 (HIGH: 2, CRITICAL: 0)
> ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
> │ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed 
> Version │                            Title                            │
> ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
> │ libexpat │ CVE-2023-52425 │ HIGH     │ fixed  │ 2.5.0-r2          │ 
> 2.6.0-r0      │ expat: parsing large tokens can trigger a denial of service │
> │          │                │          │        │                   │         
>       │ https://avd.aquasec.com/nvd/cve-2023-52425                  │
> │          ├────────────────┤          │        │                   
> ├───────────────┼─────────────────────────────────────────────────────────────┤
> │          │ CVE-2024-28757 │          │        │                   │ 
> 2.6.2-r0      │ expat: XML Entity Expansion                                 │
> │          │                │          │        │                   │         
>       │ https://avd.aquasec.com/nvd/cve-2024-28757                  │
> └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
> Looking at the 
> [KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?]
>  that introduced the docker images, it seems we should release a bugfix when 
> high CVEs are detected. It would be good to investigate and assess whether 
> Kafka is impacted or not.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to