librdkafka icon indicating copy to clipboard operation
librdkafka copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

openssl vulnerabilities

Open romanb52 opened this issue 2 years ago • 14 comments

Description

librdkafka uses OpenSSL 3 prior to 3.0.8 which is vulnerable: [CVE-2023-0286] - https://nvd.nist.gov/vuln/detail/CVE-2023-0286/ [CVE-2022-4450] - https://nvd.nist.gov/vuln/detail/CVE-2022-4450/ [CVE-2023-0215] - https://nvd.nist.gov/vuln/detail/CVE-2023-0215/

How to reproduce

No need, vulnerable libraries are part of librdkafka

Checklist

Please provide the following information:

  • [x] librdkafka version (release number or git tag): 2.0.3
  • [x] Apache Kafka version: any
  • [x] librdkafka client configuration: any
  • [x] Operating system: any
  • [x] Provide logs (with debug=.. as necessary) from librdkafka - not needed
  • [x] Provide broker log excerpts - not needed
  • [x] Critical issue

romanb52 avatar Feb 22 '23 14:02 romanb52

also librdkafka 2.0.2 uses libcurl version 7.86 which is also vulnerable as per https://curl.se/docs/vulnerabilities.html so it should be updated to the latest libcurl version.

curtspiteri avatar Mar 15 '23 19:03 curtspiteri

hi.. just writing to encourage this issue be resolved as soon as is practical. A lot banks won't allow its use until these are addressed. Thank you!

senecaconsultancy avatar Mar 22 '23 13:03 senecaconsultancy

@pranavrth apart from LibCurl which has vulnerabilities and should be updated to latest 8.0.1 (See: https://curl.se/docs/vulnerabilities.html)

OpenSSL had other vulnerabilities as recent as 23rd March (See https://www.openssl.org/news/vulnerabilities.html) I saw you upgraded to 3.0.8 in https://github.com/confluentinc/librdkafka/pull/4215 but I guess this needs to be 3.1.1 now once it's available.

curtspiteri avatar Mar 30 '23 14:03 curtspiteri

I could see issue with even latest version of librdKafka (2.1.1). Currently, libcurl is leading to 4 CVE's, seems all of these would be fixed if we upgrade to libcurl version >= 8.1. We may need OpenSSL upgrade to 3.1.0 as well. Below CVEs shows in runtime of all platform distribution linux/windows.

  1. CVE-2023-27535 : https://nvd.nist.gov/vuln/detail/CVE-2023-27535
  2. CVE-2023-27536 : https://nvd.nist.gov/vuln/detail/CVE-2023-27536
  3. CVE-2023-28322: https://nvd.nist.gov/vuln/detail/CVE-2023-28322
  4. CVE 2023-28319: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-28319

@emasab @pranavrth Considering that all of above are high severity CVE's can we please update these in upcoming version ?

Vikash08Mishra avatar May 30 '23 13:05 Vikash08Mishra

@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.

To use those:

Python

pip install --no-binary :all: confluent-kafka

Go

go build -tags dynamic

.NET (in .csproj)

    <PackageReference Include="Confluent.Kafka" Version="2.1.1" />
    <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />

emasab avatar May 30 '23 13:05 emasab

Looks like Open SSL just released a new version 3.1.1 https://github.com/openssl/openssl/releases/tag/openssl-3.1.1

vdkranak avatar May 31 '23 18:05 vdkranak

Another vulnerability: CVE-2023-2650

romanb52 avatar Jul 07 '23 07:07 romanb52

@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.

To use those:

Python

pip install --no-binary :all: confluent-kafka

Go

go build -tags dynamic

.NET (in .csproj)

    <PackageReference Include="Confluent.Kafka" Version="2.1.1" />
    <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />

Any update please?

romanb52 avatar Jul 10 '23 12:07 romanb52

Another one: CVE-2023-4807

romanb52 avatar Sep 22 '23 08:09 romanb52

Few more CVEs in openssl v3.0.8

  • https://nvd.nist.gov/vuln/detail/CVE-2023-3817
  • https://nvd.nist.gov/vuln/detail/CVE-2023-0464
  • https://nvd.nist.gov/vuln/detail/CVE-2023-0465
  • https://nvd.nist.gov/vuln/detail/CVE-2023-0466
  • https://nvd.nist.gov/vuln/detail/CVE-2023-1255
  • https://nvd.nist.gov/vuln/detail/CVE-2023-2650
  • https://nvd.nist.gov/vuln/detail/CVE-2023-2975
  • https://nvd.nist.gov/vuln/detail/CVE-2023-4807
  • https://nvd.nist.gov/vuln/detail/CVE-2023-5363
  • https://nvd.nist.gov/vuln/detail/CVE-2023-5678

vivek-datadog avatar Dec 08 '23 12:12 vivek-datadog

@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.

To use those:

Python

pip install --no-binary :all: confluent-kafka

Go

go build -tags dynamic

.NET (in .csproj)

    <PackageReference Include="Confluent.Kafka" Version="2.1.1" />
    <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />

Hello @emasab , reaching out to check on openssl version update timeline. Would this be taken care as part of https://github.com/confluentinc/librdkafka/pull/4303? I am particularly interested in the librdkafka with updated openssl for Windows environment.

vivek-datadog avatar Dec 13 '23 11:12 vivek-datadog

Thank you for the report. We are in the process of resolving this issue. Please see: https://github.com/confluentinc/librdkafka/pull/4706

janjwerner-confluent avatar May 06 '24 14:05 janjwerner-confluent

Request to Upgrade OpenSSL to Latest Version

Hello Confluent Team,

I would like to request an upgrade of the OpenSSL package bundled with Confluent Kafka. Currently, version 3.0.8 is being used, which has known vulnerabilities that can pose security risks. Upgrading to version 3.0.13 or later would greatly enhance security.

Many users, including those utilizing the Datadog Agent, have flagged these vulnerabilities, and tools like Microsoft Defender have raised alerts regarding the presence of these outdated libraries.

I believe this upgrade is crucial for maintaining the security and integrity of applications relying on Confluent Kafka.

Thank you for considering this request. I look forward to your response.

Best regards, Didier

dpey2mtl avatar Aug 23 '24 13:08 dpey2mtl

@dpey2mtl Please see https://github.com/confluentinc/librdkafka/issues/4786. The discussion about openssl is continued there. cc @milindl @emasab

janjwerner-confluent avatar Aug 23 '24 14:08 janjwerner-confluent