Pavel Kuznetsov created KAFKA-12869:
---------------------------------------
Summary: Update vulnerable dependencies
Key: KAFKA-12869
URL: https://issues.apache.org/jira/browse/KAFKA-12869
Project: Kafka
Issue Type: Bug
Components: core, KafkaConnect
Affects Versions: 2.7.1
Reporter: Pavel Kuznetsov
*Description*
I checked kafka_2.13-2.7.1.tgz distribution with WhiteSource and find out that
some libraries have vulnerabilities.
Here they are:
* jetty-io-9.4.38.v20210224.jar has CVE-2021-28165 vulnerability. The way to
fix it is to upgrade to org.eclipse.jetty:jetty-io:9.4.39 or
org.eclipse.jetty:jetty-io:10.0.2 or org.eclipse.jetty:jetty-io:11.0.2
* jersey-common-2.31.jar has CVE-2021-28168 vulnerability. The way to fix it is
to upgrade to org.glassfish.jersey.core:jersey-common:2.34
* jetty-server-9.4.38.v20210224.jar has CVE-2021-28164 vulnerability. The way
to fix it is to upgrade to org.eclipse.jetty:jetty-webapp:9.4.39
*To Reproduce*
Download kafka_2.13-2.7.1.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in
corresponding vulnerability description.
*Expected*
* jetty-io upgraded to 9.4.39 or higher
* jersey-common upgraded to 2.34 or higher
* jetty-server upgraded to jetty-webapp:9.4.39 or higher
*Actual*
* jetty-io is 9.4.38
* jersey-common is 2.31
* jetty-server is 9.4.38
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
