Hello, i apologize if this is not the right email address to report
vulnerabilities to, couldn't find an email address here (
https://github.com/apache/kafka/security ) to report vulnerabilities,
which is not usually the case.
We happen to be using Kafka in our environment(source image=
https://quay.io/repository/strimzi/kafka?tab=tags), we recently updated
to latest-kafka-2.8.0 and our vulnerability scanners found the
following critical, high, and moderate vulnerabilities;
ps: i did email the strimzi/kafka team and they highlighted that the
vulnerabilities mentioned below are from Apache Kafka, and strimzi only
provides tooling for running Apache Kafka on Kubernetes.
CVE-2017-18640 vulnerability in org.yaml_snakeyaml 1.23 fixed in
snakeyaml 1.26
CVE-2020-29582 vulnerability in kotlin-stdlib_kotlin-stdlib 1.3.50
fixed in kotlin 1.4.21
CVE-2021-29425 vulnerability in commons-io_commons-io 1.26 fixed in
apache-commons-io 2.7
CVE-2019-17571 vulnerability in log4j_log4j 1.2.17 fixed in log4j 2.8.2
CVE-2020-9488 vulnerability in log4j_log4j 1.2.17 fixed in log4j-2.13.2
CVE-2021-28168 vulnerability in jersey-2.31 fixed in jersey
2.34, jersey 3.0.2
CVE-2021-26291 vulnerability in maven-3.6.3 fixed in maven 3.8.1
CVE-2021-28169 vulnerability in jetty-servlets-9.4.39.v20210325 fixed
in jetty 9.4.41, jetty 10.0.3, jetty 11.0.3
Please let me know when/if this vulnerabilities will be fixed/patched in
Apache Kafka
Thanks.
