Thanks for the reported issue. For guava I think we should just upgrade version to 24.1.1 or newer to resolve 10237.
For rocksdbjni, I saw that at the moment even current master is still using bzip version 1.0.6 so 3189 and 12900 would be existed in newest rocksDB version. I'd suggest you post on rocksdb community and see if their community has a better understanding on how to resolve this? Guozhang On Mon, Apr 13, 2020 at 6:19 PM kangbotao <kangbo...@huawei.com> wrote: > Hi Kafka experts: > > I figure out that the guava and rocksdbjni used by Kafka of the the > latest version 2.4.1, relates with several CVEs. > > The CVE for guava 20 is CVE-2018-10237, and the CVEs for rocksdbjni > compiled with bzip2 1.0.6 is CVE-2016-3189 and CVE-2019-12900. > > Is Kafka affected by these CVEs? > Is there any plan to upgrade the version of guava and rocksdbjni? > > Sincerely look forward to your reply. > > BRs > > -- -- Guozhang
