[
https://issues.apache.org/jira/browse/KAFKA-18820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17928662#comment-17928662
]
Vishal commented on KAFKA-18820:
--------------------------------
Hi [~chia7712] , you had helped with a similar issue last time? Will this be
fixed when Kafka 4.0 is released?
> CVE-2025-24970 [netty-handler]
> ------------------------------
>
> Key: KAFKA-18820
> URL: https://issues.apache.org/jira/browse/KAFKA-18820
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.6.3, 3.9.0, 3.8.2, 3.7.3
> Reporter: Vishal
> Priority: Major
>
> Netty, an asynchronous, event-driven network application framework, has a
> vulnerability starting in version 4.1.91.Final and prior to version
> 4.1.118.Final. When a special crafted packet is received via SslHandler it
> doesn't correctly handle validation of such a packet in all cases which can
> lead to a native crash. Version 4.1.118.Final contains a patch. As workaround
> its possible to either disable the usage of the native SSLEngine or change
> the code manually.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2025-24970]
> *Fix Version :* 4.1.118.Final
> _This issue was created with the help of static security scanners._
> The kafka binary uses netty-handler 4.1.111.Final
> The kafka java library uses 4.1.115.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
