[jira] [Commented] (KAFKA-14206) Upgrade zookeeper to 3.7.1 to address security vulnerabilities

Mon, 21 Aug 2023 01:53:15 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-14206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756760#comment-17756760
 ] 

Mickael Maison commented on KAFKA-14206:
----------------------------------------

Kafka trunk has recently been updated to ZooKeeper 3.8.2: 
https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L151
The next release (3.6.0) is targeted for September.

>From 
>[KIP-902|https://cwiki.apache.org/confluence/display/KAFKA/KIP-902%3A+Upgrade+Zookeeper+to+3.8.1],
> it seems there are compatibility issues between ZooKeeper 3.6.X and 3.8.X so 
>it's tricky to do the upgrade in a bugfix release (3.5.2). If the issues are 
>really critical, please open a separate ticket or start a thread on the dev 
>mailing list.

I'm closing this issue as Kafka has been using ZooKeeper 3.6.4, which addresses 
the CVEs mentioned here, since 3.5.0 (released in June).

> Upgrade zookeeper to 3.7.1 to address security vulnerabilities
> --------------------------------------------------------------
>
>                 Key: KAFKA-14206
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14206
>             Project: Kafka
>          Issue Type: Improvement
>          Components: packaging
>    Affects Versions: 3.2.1
>            Reporter: Valeriy Kassenbayev
>            Priority: Blocker
>
> Kafka 3.2.1 is using ZooKeeper, which is affected by 
> [CVE-2021-37136|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] and 
> [CVE-2021-37137:|https://www.cve.org/CVERecord?id=CVE-2021-37137]
> {code:java}
>   ✗ Denial of Service (DoS) [High 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in 
> io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
> org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
> io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final
>   ✗ Denial of Service (DoS) [High 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in 
> io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
> org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
> io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final {code}
> The issues were fixed in the next versions of ZooKeeper (starting from 
> 3.6.4). ZooKeeper 3.7.1 is the next stable 
> [release|https://zookeeper.apache.org/releases.html] at the moment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to