Details
-
Task
-
Resolution: Done
-
Major
-
1.9.7.Final, 2.1.2.Final
-
None
-
False
-
None
-
False
Description
Current Kafka versions (3.3.1) contain versions of jacksondatabind and netty with known CVEs. These are both present in the current debezium/connect-base containers.
KAFKA-14320 fixes these, and was released in Kafka 3.4.0 / 3.3.2:
KAFKA-14564 fixes this, and will be released in Kafka 3.5.0:
This ticket is to request upgrading to 3.5.0 when that is available.
Scan results for: image debezium/connect-base:latest sha256:8a374fa60e1e44e679fb15a1f561bb7894ffb43089c499215eb6a1200397ac80 Vulnerabilities +----------------+----------+------+---------------------------------------------+---------+-----------------+------------+------------+----------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +----------------+----------+------+---------------------------------------------+---------+-----------------+------------+------------+----------------------------------------------------+ | CVE-2022-42004 | high | 7.50 | com.fasterxml.jackson.core_jackson-databind | 2.13.3 | fixed in 2.13.4 | > 3 months | < 1 hour | In FasterXML jackson-databind before 2.13.4, | | | | | | | > 3 months ago | | | resource exhaustion can occur because of a lack of | | | | | | | | | | a check in BeanDeserializer._deserializeFromArray | | | | | | | | | | to p... | +----------------+----------+------+---------------------------------------------+---------+-----------------+------------+------------+----------------------------------------------------+ | CVE-2022-42003 | high | 7.50 | com.fasterxml.jackson.core_jackson-databind | 2.13.3 | fixed in 2.14.0 | > 3 months | < 1 hour | In FasterXML jackson-databind before 2.14.0-rc1, | | | | | | | > 3 months ago | | | resource exhaustion can occur because of a lack of | | | | | | | | | | a check in primitive value deserializers to avoid | | | | | | | | | | ... | +----------------+----------+------+---------------------------------------------+---------+-----------------+------------+------------+----------------------------------------------------+ | CVE-2022-41881 | high | 7.50 | io.netty_netty-codec | 4.1.78 | fixed in 4.1.86 | 45 days | < 1 hour | Netty project is an event-driven asynchronous | | | | | | | 38 days ago | | | network application framework. In versions prior | | | | | | | | | | to 4.1.86.Final, a StackOverflowError can be | | | | | | | | | | raised whe... | +----------------+----------+------+---------------------------------------------+---------+-----------------+------------+------------+----------------------------------------------------+ | CVE-2022-41915 | medium | 6.50 | io.netty_netty-codec | 4.1.78 | fixed in 4.1.86 | 44 days | < 1 hour | Netty project is an event-driven asynchronous | | | | | | | 38 days ago | | | network application framework. Starting in version | | | | | | | | | | 4.1.83.Final and prior to 4.1.86.Final, when | | | | | | | | | | calling ... | +----------------+----------+------+---------------------------------------------+---------+-----------------+------------+------------+----------------------------------------------------+Vulnerabilities found for image debezium/connect-base:latest: total - 4, critical - 0, high - 3, medium - 1, low - 0 Vulnerability threshold check results: PASS
Attachments
Issue Links
- incorporates
-
DBZ-6517 CloudEventsConverter throws static error on Kafka Connect 3.5+
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHEA-2024:129636
Red Hat build of Debezium 2.5.4 release
