schema-registry icon indicating copy to clipboard operation
schema-registry copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

schema-registry uses some vulnerable dependencies

Open pavel-sbor opened this issue 3 years ago • 3 comments

Description I checked confluent kafka 6.1.1 distribution with WhiteSource and find out that some libraries have vulnerabilities. Here they are:

  • netty-handler-4.1.48.Final.jar has CVE-2021-21290 vulnerability. The way to fix it is to upgrade to io.netty:netty-codec-http:4.1.60
  • jersey-common-2.31.jar has CVE-2021-28168 vulnerability. The way to fix it is to upgrade to org.glassfish.jersey.core:jersey-common:2.34
  • guava-28.1-jre.jar has CVE-2020-8908 vulnerability. The way to fix it is to upgrade to version 30

To Reproduce Download Confluent Kafka 6.1.1 distribution (for example curl -O http://packages.confluent.io/archive/6.1/confluent-community-6.1.1.tar.gz) Open share/java/schema-registry and share/java/kafka-serde-tools folders in it and find jars, listed above. Check that these jars with corresponding versions are mentioned in corresponding vulnerability description (for example, on https://nvd.nist.gov/vuln/detail/CVE-2021-28168 jersey-common 2.31 is mentioned in "Known Affected Software Configurations" list)

Expected behavior

  • netty-handler upgraded to netty-codec-http:4.1.60 or higher
  • jersey-common upgraded to 2.34 or higher
  • guava upgraded to version 30 or higher

Actual behaviour

  • netty-handler is 4.1.48.Final
  • jersey-common is 2.31
  • guava is 28.1-jre

pavel-sbor avatar May 31 '21 16:05 pavel-sbor

Follows from #1525

OneCricketeer avatar Jun 02 '21 11:06 OneCricketeer

Hi @OneCricketeer do we know which release of kafka-schema-registry-client has jersey versioned to 2.34 because of above vulnerability? (CVE-2021-28168)

sfc-gh-japatel avatar Aug 24 '21 00:08 sfc-gh-japatel

I am confused. based on https://github.com/confluentinc/rest-utils/pull/246 it says it was merged in branch 5.4.x

However I do see 5.5.1 having a dependency

+- io.confluent:kafka-schema-registry-client:jar:5.5.1:compile
[INFO] |  +- javax.ws.rs:javax.ws.rs-api:jar:2.1.1:compile
[INFO] |  \- org.glassfish.jersey.core:jersey-common:jar:2.30:compile
[INFO] |     +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
[INFO] |     +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |     +- org.glassfish.hk2.external:jakarta.inject:jar:2.6.1:compile
[INFO] |     +- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile
[INFO] |     \- com.sun.activation:jakarta.activation:jar:1.2.1:compile

sfc-gh-japatel avatar Aug 24 '21 00:08 sfc-gh-japatel

Pavel, Thank you for raising this issue. The CVEs have been addressed. We recommend using the latest release 6.1.7 http://packages.confluent.io/archive/6.1/confluent-community-6.1.7.zip

janjwerner-confluent avatar Sep 27 '22 16:09 janjwerner-confluent