cruise-control
cruise-control copied to clipboard
linkedin
Kafka 351 deps for CVE 2023 34455
This PR resolves #CVE-2023-34455, #CVE-2023-34462.
kafka: update from 3.1.0 to 3.5.1 due to CVE-2023-34455 zookeeper: update to the latest stable recommended release netty: update due to CVE-2023-34462 jetty: update to the latest stable minor release vertx: update to the latest stable minor release
Hi @cesaroangelo , thanks for the change. Since LinkedIn is still using kafka 3.0 internally, we will probably not merge this PR for now. Or is that possible if we only bump up other dependencies and leave kafka version as what it is now?
Hi @CCisGG, thanks for the feedback. This PR (https://github.com/linkedin/cruise-control/pull/2060) would bump up the only dependencies needed to fix those CVEs, especially the high severity one CVE-2023-34455.
@CCisGG Is it possible to start a separate branch? And use this branch to support kafka 3.5+ and 3.6+? Since kafka has iterated too many times on the 3.x branch, it has added a lot of new features. CC is still stuck at 3.1.0. This is not very user-friendly.
@CCisGG Is it possible to start a separate branch? And use this branch to support kafka 3.5+ and 3.6+? Since kafka has iterated too many times on the 3.x branch, it has added a lot of new features. CC is still stuck at 3.1.0. This is not very user-friendly.
Hi @BsoBird, thanks for the feedback. Just curious, is there anything that blocking you from use the current CC version on kafka 3.5+? If so, we would be interested in knowing about more details. Thanks!
@CCisGG HI. I just saw several pr's rejected for upgrading the kafka version and guessed that CC can only work with kafka version 3.1.X at the moment.
Hi @BsoBird , thanks for the feedback. I think using CC with higher kafka version shouldn't cause any issues, which should unblock any users on Kafka 3.2 or higher. As for the kafka version change in cc, we are still on the conservative side. For any open PRs involving kafka version change, we would recommend to split the PR into kafka version bump and other version bumps, so that we could ship the version bumps for other CVE.
@CCisGG Since KAFKA 3.6.X supports tiered storage, we think this is a very important feature. Would it be possible to consider upgrading CC's kafka version to 3.6.1+?
Hi @BsoBird , I think you can actually use current CC version to manage kafka 3.6.+ clusters. Could you please try it?
I think you can actually use current CC version to manage kafka 3.6.+ clusters. Could you please try it?
@CCisGG I can confirm that the current CC version can manage Kafka 3.6.+ clusters, we use it for our Kafka Kubernetes Operator [1]
That being said, if it is not too much maintenance overhead for the maintainers it may be worth creating a
migrate_to_kafka_3_5 branch (just like we have a migrate_to_kafka_2_5 branch) to merge changes like these. It would help us collaborate across projects to test CC with the latest Kafka features and address common CVEs!
[1] https://github.com/strimzi/strimzi-kafka-operator
@mhratson @efeg I'd like your inputs since next quarter I'll be less involved for CC related work.
We are using the kafka 3.6.1 on kraft model
- Could latest cc support kraft model without zookeeper?
- Could "zookeeper.connect" be ignored to be set in config/cruisecontrol.properties?
@kyguy We recently discussed internally that we would try to bump up the kafka version soon.
Thanks for the information @CCisGG, I am available to help out wherever needed here and in other places, feel free to send any issues my way
@kyguy our only concern is whether kafka 3.5.1 is compatible with our internal 3.1.0 version, and I would assume it's likely backwards compatible. We can give it a try by merge it and bake it for sometime. Just as a notice, if it doesn't work somehow, we will have to revert this PR. Hopefully everything goes well.
@mhratson fyi. This is the PR that bumps kafka version. I will publish the version and bring this in.