strimzi-kafka-operator
strimzi-kafka-operator copied to clipboard
Vulnerability observed in strimzi related with okhttp3 operator during scan
Please use this to only for bug reports. For questions or when you need help, you can use the GitHub Discussions, our #strimzi Slack channel or out user mailing list.
Describe the bug Hi team, We have observed vulnerability during our latest scan in okhttp3 jar. Below are the details
PRISMA-2022-0239 | https://github.com/square/okhttp/issues/6738 | Y | fixed in 4.9.2 | com.squareup.okhttp3_okhttp 3.12.12 /opt/strimzi/lib/com.squareup.okhttp3.okhttp-3.12.12.jar
To Reproduce Steps to reproduce the behavior:
- Take the recent strimzi kafka operator source code
- Run vulnerability scan report using twistlock scan.
Expected behavior A clear and concise description of what you expected to happen.
Environment (please complete the following information):
- Strimzi version: [e.g. main, 0.22.1]
- Installation method: [e.g. YAML files, Helm chart, OperatorHub.io]
- Kubernetes cluster: [e.g. Kubernetes 1.20, OpenShift 4.7]
- Infrastructure: [e.g. Amazon EKS, Minikube]
YAML files and logs
Attach or copy paste the custom resources you used to deploy the Kafka cluster and the relevant YAMLs created by the Cluster Operator. Attach or copy and paste also the relevant logs.
To easily collect all YAMLs and logs, you can use our report script which will automatically collect all files and prepare a ZIP archive which can be easily attached to this issue.
The usage of this script is:
./report.sh --namespace <string> --cluster <string> [--bridge <string>] [--connect <string>] [--mm2 <string>]
Additional context Add any other context about the problem here.
Strimzi does not directly depend on OkHttp. So this needs to be fixed in whatever dependencies are using OkHttp.
@scholzj .. any update if the above vulnerability is going to fixed in recent updates:
[strimzi@7899ebe4f661 lib]$ ls -l | grep okhttp -rw-r--r-- 1 root root 12483 May 13 18:16 com.squareup.okhttp3.logging-interceptor-3.12.12.jar -rw-r--r-- 1 root root 427674 May 13 18:16 com.squareup.okhttp3.okhttp-3.12.12.jar
Strimzi version : strimzi/operator:0.29.0-4
Vulnerability is fixed in okhttp 4.9.2
No, nothing changed. Strimzi still does not directly depend on OkHttp. So this needs to be fixed in whatever dependencies are using OkHttp. And this is IMHO not fixed in any 3.x release anyway.