Vulnerabilities || Upgrading Kafka connect base image || CVE

Question

Vulnerabilities || Upgrading Kafka connect base image || CVE

kandukurihemanth opened this issue 5 months ago · 2 comments

Hello Team,

I wanted to inform you that we've recently updated our Kafka connector base image to confluentinc/cp-kafka-connect-base:7.2.10, which successfully addressed several security vulnerabilities. However, we've identified that a few critical vulnerabilities still remain unresolved in this version. Additionally, upon reviewing the latest version, 7.6.1, it appears that there are even more vulnerabilities present.

Could you please advise if there is a newer version available that resolves these remaining vulnerabilities?

Answer 1 · 2024-06-25T16:17:03.000Z

😢 yea, we just updated all our connectors last month to resolve most of the vulnerabilities and now we got new ones

CVE-2023-51775 - org.bitbucket.b_c:jose4j, org.bitbucket.b_c:jose4j 
CVE-2024-29025 -  io.netty:netty-codec-http, io.netty:netty-codec-http and 2 more
CVE-2023-3894 - com.fasterxml.jackson.dataformat:jackson-dataformat-properties, com.fasterxml.jackson.dataformat:jackson-dataformat-properties
CVE-2024-21634 - software.amazon.ion:ion-java, software.amazon.ion:ion-java and 1 more

https://support.confluent.io/hc/en-us/articles/13082992005396-Confluent-Security-Advisory-CONFSA-Publication-Policy says High (CVSS 7.0 - 8.9) - Fix available in 30 days so 🤞

Answer 2 · 2024-07-24T15:18:29.000Z

Hi @kandukurihemanth and @aonamrata
New version of cp-kafka-connect-base has been released.
There are also updated version of connectors. Please update to the latest version of container image and the connectors.