Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-16645

CVEs in 3.7.0 docker image

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Blocker
    • Resolution: Resolved
    • 3.7.0
    • 3.8.0, 3.7.1
    • None
    • None

    Description

      Our Docker Image CVE Scanner GitHub action reports 2 high CVEs in our base image:

      apache/kafka:3.7.0 (alpine 3.19.1)
      ==================================
      Total: 2 (HIGH: 2, CRITICAL: 0)

      ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
      │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
      ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
      │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │
      │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-52425
      │ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
      │ │ CVE-2024-28757 │ │ │ │ 2.6.2-r0 │ expat: XML Entity Expansion │
      │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28757
      └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

      Looking at the KIP that introduced the docker images, it seems we should release a bugfix when high CVEs are detected. It would be good to investigate and assess whether Kafka is impacted or not.

      Attachments

        Activity

          People

            soarez Igor Soarez
            mimaison Mickael Maison
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: