divijvaidya commented on PR #12620: URL: https://github.com/apache/kafka/pull/12620#issuecomment-1245356187
I did some analysis on what has changed and here is my summary: ZK 3.7.1 [contains CVE fixes](https://zookeeper.apache.org/doc/r3.7.1/releasenotes.html) for: 1. Jackson-databind: https://nvd.nist.gov/vuln/detail/CVE-2020-36518 2. Log4j 1.x: CVE-2022-23302/5/7: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 3. Jetty: https://nvd.nist.gov/vuln/detail/cve-2021-28165 4. Reload4j: CVE-2020-9493, CVE-2022-23307 In 3.3.0-RC1 for Kafka: 1. We are [picking up 4.1.78 for Netty](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L108) for two sub-modules of Netty, `netty-transport-native-epoll` and `netty-handler`. The reported CVEs in Netty's other sub modules are either related to compression algorithms or in HTTP2 which ZooKeeper (or Kafka) doesn't use AFAIK. Hence, we should be ok. 2. We are picking up [Jetty Server 9.4.48](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L73) which fixes the vulnerabilities fixed by new Zookeeper version. 3. We are picking up [Jackson 2.13.3](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L70) which fixes the vulnerabilities fixed by new Zookeeper version. 4. We are [picking up Reload4j 1.2.19](https://github.com/apache/kafka/blob/3.3.0-rc1/gradle/dependencies.gradle#L111) which fixes the vulnerabilities fixed by new Zookeeper version. Since the CVEs are fixed in the versions we are directly picking the class path for Kafka, I don't think it is urgent to upgrade the zookeeper version. We can scope it for 3.4.0. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
