As I told you on the Strimzi mailing list:
* You should check the paths where the vulnerabilities are found and in
which component they are => that should tell you where it needs to be
addressed
* You should also compare which ones are already addressed in the
upcoming Kafka 3.5.2 (or in Kafka 3.6.1 for example that is already
released)

Then you might know which of them are related to Kafka and are still not
addressed yet. Then you can go through them and see if they actually have
any impact or not.

Thanks & Regards
Jakub

On Fri, Dec 8, 2023 at 6:21 PM <balagopal.sanka...@cognizant.com.invalid>
wrote:

> Hi Team,
>
>
>
> We have run a Trivy scan on the image :
> quay.io/strimzi/kafka:latest-kafka-3.5.1 and found 7 high and 2 critical
> vulnerabilities. Please take a look at the attached report.
>
>
>
> Could you please let me know when these issues will be fixed ?
>
>
>
> Severity     Package/Jar
>                                          Vulnerability
> HIGH
>  io.netty:netty-codec-http2(netty-codec-http2-4.1.93.Final.jar)
>    GHSA-xpw8-rcwv-8f8p
> HIGH         org.bitbucket.b_c:jose4j (jose4j-0.7.8.jar)
>                             CVE-2023-31582
> HIGH         org.elasticsearch:elasticsearch (elasticsearch-7.17.3.jar)
>                  CVE-2023-31418
> HIGH         org.json:json (json-20230227.jar)
>                               CVE-2023-5072
> HIGH         org.xerial.snappy:snappy-java (snappy-java-1.1.10.1.jar)
>                CVE-2023-43642
> HIGH         golang.org/x/net
>                                          CVE-2023-39325
> CRITICAL  org.apache.zookeeper:zookeeper (zookeeper-3.6.3.jar/
>           CVE-2023-44981
>
>   zookeeper-3.6.4.jar)
>
>
>
> Regards,
>
> Balagopal S
>
>
> This e-mail and any files transmitted with it are for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient(s), please reply to the
> sender and destroy all copies of the original message. Any unauthorized
> review, use, disclosure, dissemination, forwarding, printing or copying of
> this email, and/or any action taken in reliance on the contents of this
> e-mail is strictly prohibited and may be unlawful. Where permitted by
> applicable law, this e-mail and other e-mail communications sent to and
> from Cognizant e-mail addresses may be monitored.
>

Reply via email to