[
https://issues.apache.org/jira/browse/KAFKA-15443?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruno Cadonna updated KAFKA-15443:
----------------------------------
Description:
Kafka Streams currently depends on RocksDB 7.9.2
However, the latest version of RocksDB is already 8.5.3. We should check the
RocksDB release notes to see what benefits we get to upgrade to the latest
version (and file corresponding tickets to exploit improvement of newer
releases as applicable).
>From the duplicate ticket KAFKA-18204:
Kafka still uses rocksdbjni version 7.x (ref:
[https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120])
which is no longer receiving backports from upstream.
Please update to rocksdb version 9.x (latest version) so that security updates
are received.
Examples for critical vulnerabilities (CVE score 9.8) in rocksdb version 7.x:
[https://nvd.nist.gov/vuln/detail/CVE-2023-45853]
[https://nvd.nist.gov/vuln/detail/CVE-2022-37434]
(updating to the tip of 8.x release fixes these two vulnerabilities but for any
new security fixes, we will need to move to 9.x)
was:
Kafka Streams currently depends on RocksDB 7.9.2
However, the latest version of RocksDB is already 8.5.3. We should check the
RocksDB release notes to see what benefits we get to upgrade to the latest
version (and file corresponding tickets to exploit improvement of newer
releases as applicable).
> Upgrade RocksDB dependency
> --------------------------
>
> Key: KAFKA-15443
> URL: https://issues.apache.org/jira/browse/KAFKA-15443
> Project: Kafka
> Issue Type: Task
> Components: streams
> Reporter: Matthias J. Sax
> Assignee: Matthias J. Sax
> Priority: Blocker
> Fix For: 4.0.0
>
>
> Kafka Streams currently depends on RocksDB 7.9.2
> However, the latest version of RocksDB is already 8.5.3. We should check the
> RocksDB release notes to see what benefits we get to upgrade to the latest
> version (and file corresponding tickets to exploit improvement of newer
> releases as applicable).
> From the duplicate ticket KAFKA-18204:
> Kafka still uses rocksdbjni version 7.x (ref:
> [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120])
> which is no longer receiving backports from upstream.
> Please update to rocksdb version 9.x (latest version) so that security
> updates are received.
> Examples for critical vulnerabilities (CVE score 9.8) in rocksdb version 7.x:
> [https://nvd.nist.gov/vuln/detail/CVE-2023-45853]
> [https://nvd.nist.gov/vuln/detail/CVE-2022-37434]
> (updating to the tip of 8.x release fixes these two vulnerabilities but for
> any new security fixes, we will need to move to 9.x)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
