confluent-kafka-dotnet icon indicating copy to clipboard operation
confluent-kafka-dotnet copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

zlib library security vulnerability through to version 1.3

Open MiikaL opened this issue 10 months ago • 3 comments

Description

We use the Confluent.Kafka nuget which makes use of librdkafka, and we are receiving a security warning about the version of zlib in use:

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': zlib1.dll: CVE-2023-45853(9.8), CVE-2002-0059(9.8), CVE-2022-37434(9.8)

https://nvd.nist.gov/vuln/detail/CVE-2023-45853

How to reproduce

Checklist

Please provide the following information:

  • [X] A complete (i.e. we can run it), minimal program demonstrating the problem. No need to supply a project file.: N/A
  • [X] Confluent.Kafka nuget version: 2.3.0
  • [X] Apache Kafka version: N/A
  • [X] Client configuration: N/A
  • [X] Operating system: Windows/.Net
  • [X] Provide logs (with "debug" : "..." as necessary in configuration): N/A
  • [X] Provide broker log excerpts: N/A
  • [X] Critical issue: Critical security vulnerability

MiikaL avatar Apr 03 '24 07:04 MiikaL

@MiikaL Thank you for bringing it to our attention, this should be resolved with a fix to librdkafka that will get propagated here.

janjwerner-confluent avatar Apr 15 '24 14:04 janjwerner-confluent

Any updates here? Seems like this is still an issue?

tomasr avatar Aug 12 '24 19:08 tomasr

It appears to still be an issue because librdkafka packages version 1.3 of zlib with the windows version, although there is code there to download 1.3.1 for the linux version

MiikaL avatar Aug 13 '24 06:08 MiikaL