Mickael Maison created KAFKA-16645:
--------------------------------------
Summary: CVEs in 3.7.0 docker image
Key: KAFKA-16645
URL: https://issues.apache.org/jira/browse/KAFKA-16645
Project: Kafka
Issue Type: Task
Affects Versions: 3.7.0
Reporter: Mickael Maison
Our Docker Image CVE Scanner GitHub action reports 2 high CVEs in our base
image:
apache/kafka:3.7.0 (alpine 3.19.1)
==================================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed
Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ 2.6.0-r0
│ expat: parsing large tokens can trigger a denial of service │
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2023-52425 │
│ ├────────────────┤ │ │
├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-28757 │ │ │ │ 2.6.2-r0
│ expat: XML Entity Expansion │
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2024-28757 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
Looking at the
[KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?]
that introduced the docker images, it seems we should release a bugfix when
high CVEs are detected. It would be good to investigate and assess whether
Kafka is impacted or not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
