librdkafka icon indicating copy to clipboard operation
librdkafka copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

OpenSSL + LibCurl Vulnerabilities in librdkafka 1.9.0

Open curtspiteri opened this issue 3 years ago • 2 comments

Description

Using .NET Confluent.Kafka 1.9.0 which is using librdkafka 1.9.0 resulted in having 2 dependent libraries using versions which have Vulnerabilities (CVEs):

  1. librdkafka is using OpenSSL version 1.1.1n and as per https://www.openssl.org/news/vulnerabilities.html it has the following vulnerabilities CVE-2022-1292, CVE-2022-2068, CVE-2022-2097. Therefore this should be upgraded to the latest 1.1.1q.
  2. librdkafka is using libcurl version 7.82 and as per https://curl.se/docs/vulnerabilities.html it also has several vulnerabilities. Therefore this should be upgraded to the latest 7.84

This I also reported as comment in an existing issue of Confluent.Kafka: https://github.com/confluentinc/confluent-kafka-dotnet/issues/1667

How to reproduce

Run DependencyChecker Tool on a .NET Application using Confluent.Kafka (dotnet) 1.9.0 and it will point out that OpenSSL DLLs (libssl-1_1-x64.dll + libcrypto-1_1-x64.dll) version being used (1.1.1n) has several vulnerabilities. It will also point out that libcurl.dll version being used (7.82) has also several vulnerabilities.

Checklist

IMPORTANT: We will close issues where the checklist has not been completed.

Please provide the following information:

  • [x] librdkafka version (release number or git tag): v1.9.0
  • [x] Operating system: Win (x64)
  • [ ] Critical issue

curtspiteri avatar Jul 13 '22 15:07 curtspiteri

librdkafka relies on vcpkg for dependencies on Windows and vcpkg unfortunately does not provide an updated 1.1.1q package of OpenSSL, they only maintain OpenSSL 3.x versions now - and librdkafka has not yet been ported nor tested on OpenSSL 3.x. This means we're currently not able to update to 1.1.1q in the self-contained Windows version of librdkafka, but will update to 1.1.1q for Linux and OSX builds.

However, this does not pose a problem for the CVEs fixed in 1.1.1q:

  • CVE-2022-1292 - this is in the c_rehash utility which is not included in the librdkafka bundle.
  • CVE-2022-2068 - same c_rehash
  • CVE-2022-2097 - this does not seem to affect TLS, which is what librdkafka is using OpenSSL for.

edenhill avatar Jul 18 '22 18:07 edenhill

Thanks @edenhill for the explanation. what about point no 2? i.e. the libcurl version being used 7.82 has several other CVEs.

curtspiteri avatar Jul 19 '22 06:07 curtspiteri

We updated to curl 7.84 in the latest release.

edenhill avatar Oct 03 '22 12:10 edenhill