strimzi-kafka-operator icon indicating copy to clipboard operation
strimzi-kafka-operator copied to clipboard

Published 20 hours ago verified publisher icon strimzi

Vulnerability observed in strimzi related with okhttp3 operator during scan

Open TushantGupta opened this issue 1 year ago • 1 comments

Please use this to only for bug reports. For questions or when you need help, you can use the GitHub Discussions, our #strimzi Slack channel or out user mailing list.

Describe the bug Hi team, We have observed vulnerability during our latest scan in okhttp3 jar. Below are the details

PRISMA-2022-0239 | https://github.com/square/okhttp/issues/6738 | Y | fixed in 4.9.2 | com.squareup.okhttp3_okhttp 3.12.12 /opt/strimzi/lib/com.squareup.okhttp3.okhttp-3.12.12.jar

To Reproduce Steps to reproduce the behavior:

  1. Take the recent strimzi kafka operator source code
  2. Run vulnerability scan report using twistlock scan.

Expected behavior A clear and concise description of what you expected to happen.

Environment (please complete the following information):

  • Strimzi version: [e.g. main, 0.22.1]
  • Installation method: [e.g. YAML files, Helm chart, OperatorHub.io]
  • Kubernetes cluster: [e.g. Kubernetes 1.20, OpenShift 4.7]
  • Infrastructure: [e.g. Amazon EKS, Minikube]

YAML files and logs

Attach or copy paste the custom resources you used to deploy the Kafka cluster and the relevant YAMLs created by the Cluster Operator. Attach or copy and paste also the relevant logs.

To easily collect all YAMLs and logs, you can use our report script which will automatically collect all files and prepare a ZIP archive which can be easily attached to this issue. The usage of this script is: ./report.sh --namespace <string> --cluster <string> [--bridge <string>] [--connect <string>] [--mm2 <string>]

Additional context Add any other context about the problem here.

TushantGupta avatar Sep 16 '22 13:09 TushantGupta

Strimzi does not directly depend on OkHttp. So this needs to be fixed in whatever dependencies are using OkHttp.

scholzj avatar Sep 16 '22 13:09 scholzj

@scholzj .. any update if the above vulnerability is going to fixed in recent updates:

[strimzi@7899ebe4f661 lib]$ ls -l | grep okhttp -rw-r--r-- 1 root root 12483 May 13 18:16 com.squareup.okhttp3.logging-interceptor-3.12.12.jar -rw-r--r-- 1 root root 427674 May 13 18:16 com.squareup.okhttp3.okhttp-3.12.12.jar

Strimzi version : strimzi/operator:0.29.0-4

Vulnerability is fixed in okhttp 4.9.2

TushantGupta avatar Nov 04 '22 09:11 TushantGupta

No, nothing changed. Strimzi still does not directly depend on OkHttp. So this needs to be fixed in whatever dependencies are using OkHttp. And this is IMHO not fixed in any 3.x release anyway.

scholzj avatar Nov 04 '22 09:11 scholzj