Security CVE-2022-3509 - com.google.protobuf:protobuf-java > For camel-aws-ddb-sink-kafka-connector-3.21.0

[aonamrata]

Hello,

We just updated camel-aws-ddb-sink-kafka-connector connector to 3.21.0 and that resolved some security vulnerabilities but now there are still a few high priority ones that are open.

High CVE-2022-3509, CVE-2022-3510 - com.google.protobuf:protobuf-java - Fixed version 3.21.7 High GHSA-xpw8-rcwv-8f8p - io.netty:netty-codec-http2 - Fixed version 4.1.100.Final High CVE-2023-3635 - com.squareup.okio:okio - Fixed version 3.4.0 High CVE-2023-39410 - org.apache.avro:avro - Fixed version 1.11.3 High CVE-2023-44487 - io.netty:netty-codec-http2 - Fixed version 4.1.100.Final

Is there a version that has this resolved? Do you think these can be updated?

[oscerd]

Try with 4.0.3, but I don't think it will cover all the CVEs.

[aonamrata]

I initially tried 4.0.3 but i think there is some issue with that package. When i do

ENV DYNAMODB_CONNECTOR_VERSION='4.0.3'
ENV CAMEL_REPOSITORY_BASE_URL="https://repo1.maven.org/maven2/org/apache/camel/kafkaconnector"
RUN mkdir /usr/share/camel && \
    wget -O /usr/share/camel/camel-aws-ddb-sink-kafka-connector-${DYNAMODB_CONNECTOR_VERSION}-package.tar.gz ${CAMEL_REPOSITORY_BASE_URL}/camel-aws-ddb-sink-kafka-connector/${DYNAMODB_CONNECTOR_VERSION}/camel-aws-ddb-sink-kafka-connector-${DYNAMODB_CONNECTOR_VERSION}-package.tar.gz && \
    tar -C /usr/share/camel -zxvf /usr/share/camel/camel-aws-ddb-sink-kafka-connector-${DYNAMODB_CONNECTOR_VERSION}-package.tar.gz

It downloads the package in plugins path (screenshot) but on registering the connector it gives error

2024-04-18 10:35:18 Caused by: org.apache.kafka.connect.errors.ConnectException: Failed to find any class that implements Connector and which name matches org.apache.camel.kafkaconnector.awsddbsink.CamelAwsddbsinkSinkConnector, available connectors are:

even though the folder is there and the path is in

ENV CONNECT_PLUGIN_PATH='/usr/share/java,/usr/share/confluent-hub-components/,/usr/share/camel/'

[oscerd]

I think it's something on your side. I won't have time to check this week and the next

[aonamrata]

I got it working with 4.4.3

FROM confluentinc/cp-kafka-connect:7.7.1
ENV DYNAMODB_CONNECTOR_VERSION='4.4.3'
ENV CAMEL_REPOSITORY_BASE_URL="https://repo1.maven.org/maven2/org/apache/camel/kafkaconnector"
RUN mkdir /usr/share/camel && \
    wget -O /usr/share/camel/camel-aws-ddb-sink-kafka-connector-${DYNAMODB_CONNECTOR_VERSION}-package.tar.gz ${CAMEL_REPOSITORY_BASE_URL}/camel-aws-ddb-sink-kafka-connector/${DYNAMODB_CONNECTOR_VERSION}/camel-aws-ddb-sink-kafka-connector-${DYNAMODB_CONNECTOR_VERSION}-package.tar.gz && \
    tar -C /usr/share/camel -zxvf /usr/share/camel/camel-aws-ddb-sink-kafka-connector-${DYNAMODB_CONNECTOR_VERSION}-package.tar.gz

There are no changes to the actual connector configs or working so it was just version bump once the confluent guys released a new version with Java 17.

FYI with this new image there are still 1 high priority vulnerabilities

[2024-09-19T05:53:14.828Z] ###### FAILED FINDINGS ######
[2024-09-19T05:53:14.828Z] {
[2024-09-19T05:53:14.828Z]     "severity": "high",
[2024-09-19T05:53:14.828Z]     "priority_intelligence": "unverified",
[2024-09-19T05:53:14.828Z]     "related": [
[2024-09-19T05:53:14.828Z]         "GHSA-4g9r-vxhx-9pgx"
[2024-09-19T05:53:14.828Z]     ],
[2024-09-19T05:53:14.828Z]     "references": [
[2024-09-19T05:53:14.828Z]         "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf",
[2024-09-19T05:53:14.828Z]         "https://alas.aws.amazon.com/AL2023/ALAS-2024-561.html",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:4057",
[2024-09-19T05:53:14.828Z]         "https://www.cve.org/CVERecord?id=CVE-2024-25710",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:1924",
[2024-09-19T05:53:14.828Z]         "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064413",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:1509",
[2024-09-19T05:53:14.828Z]         "https://alas.aws.amazon.com/AL2023/ALAS-2024-560.html",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:1706",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:1662",
[2024-09-19T05:53:14.828Z]         "https://alas.aws.amazon.com/AL2/ALAS-2024-2493.html",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:3527",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:3989",
[2024-09-19T05:53:14.828Z]         "https://nvd.nist.gov/vuln/detail/CVE-2024-25710",
[2024-09-19T05:53:14.828Z]         "https://access.redhat.com/errata/RHSA-2024:2833"
[2024-09-19T05:53:14.828Z]     ],
[2024-09-19T05:53:14.828Z]     "created": "2024-02-19T09:15:37Z",
[2024-09-19T05:53:14.828Z]     "description": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.",
[2024-09-19T05:53:14.828Z]     "affects": [
[2024-09-19T05:53:14.828Z]         {
[2024-09-19T05:53:14.828Z]             "path": "/usr/share/camel/camel-aws-ddb-sink-kafka-connector/commons-compress-1.22.jar/META-INF/maven/org.apache.commons/commons-compress/pom.properties",
[2024-09-19T05:53:14.828Z]             "fixed_version": "1.26.0",
[2024-09-19T05:53:14.828Z]             "installed_version": "pkg:maven/org.apache.commons/[email protected]"
[2024-09-19T05:53:14.828Z]         }
[2024-09-19T05:53:14.828Z]     ],
[2024-09-19T05:53:14.828Z]     "id": "CVE-2024-25710",
[2024-09-19T05:53:14.828Z]     "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710",
[2024-09-19T05:53:14.828Z]     "priority": "standard",
[2024-09-19T05:53:14.828Z]     "updated": "2024-03-07T17:15:12Z",
[2024-09-19T05:53:14.828Z] }