Vulnerabilities reported in the cp-server-connect-base image

Question

cijujoseph opened this issue a year ago · 7 comments

We are finding the following vulnerabilities (rated as HIGH by by ECR scan) in the confluentinc/cp-server-connect-base:7.4.0 image:

CVE-2022-45688
- Remediation - upgrade your installed software packages to the proposed fixed in version and release. Update json to 20230227

SNYK-JAVA-ORGBITBUCKETBC-5488281
- Upgrade your installed software packages to the proposed fixed in version and release. Update jose4j to 0.9.3

There is also a few MEDIUM rated vulns:

Answer 1 · 2023-06-06T14:43:52.000Z

@cijujoseph
Thank you for raising this issue. We are aware of those dependencies and plan to resolve them in the upcoming patch release.

Answer 2 · 2023-06-07T13:42:00.000Z

similarly just to add on I'm seeing some of the same vulnerabilities on the cp-kafka-connect 7.4.0-2-ubi image

Answer 3 · 2023-06-09T18:48:44.000Z

@cijujoseph Thank you for raising this issue. We are aware of those dependencies and plan to resolve them in the upcoming patch release.

👋 Hello @janjwerner-confluent is there an expected release date for that patch?

Answer 4 · 2023-06-16T08:57:09.000Z

@janjwerner-confluent do you know if CVE-2022-45688 is resolved in 3.4.1 ? I can't find mentions in the release notes. Thank you 🙇.

Answer 5 · 2023-06-19T13:56:14.000Z

@barambani
I don't know about the update process in AK. I expect it to be resolved in CP 7.4.1

Answer 6 · 2023-06-22T19:51:31.000Z

The following Vulnerabilities in confluentinc/cp-kafka-connect:latest

VULNERABILITY TITLE	SEVERITY	CVE
Red Hat Update for python3 (RHSA-2023:3591)	CRITICAL	CVE-2023-24329
Azul Java Multiple Vulnerabilities Security Update April 2023	SERIOUS	CVE-2023-21930, CVE-2023-21954, CVE-2023-21967, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, CVE-2023-21968

Answer 7 · 2023-08-28T12:45:59.000Z

I expect those to be resolved in patch release for q3 2023.