[jira] [Comment Edited] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

Mon, 25 Sep 2023 03:09:04 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17768031#comment-17768031
 ] 

Divij Vaidya edited comment on KAFKA-15487 at 9/25/23 10:08 AM:
----------------------------------------------------------------

Current release candidate 3.6 uses Jetty 9.4.51 [1], hence all versions of 
Kafka are impacted by the CVE [2].

I have started a conversation with Kafka's security team about this. Let us get 
back to you on this.

[1] 
[https://github.com/apache/kafka/blame/e8dffea9ab9c02b6c6a862de11439ad0ff6bf2c5/gradle/dependencies.gradle#L93]
 
[2] 
[https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6]
 


was (Author: divijvaidya):
Current release candidate 3.6 uses Jetty 9.4.51 [1], hence all versions of 
Kafka are impacted by the CVE [2].

I have started a conversation with Kafka's security team about this. Let us get 
back to you on this. In future, the preferred way to report security issues is 
by emailing [[email protected]|mailto:[email protected]] with 
the details.

[1] 
[https://github.com/apache/kafka/blame/e8dffea9ab9c02b6c6a862de11439ad0ff6bf2c5/gradle/dependencies.gradle#L93]
 
[2] 
[https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6]
 

> CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 
> 12.0.1
> ----------------------------------------------------------------------------------
>
>                 Key: KAFKA-15487
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15487
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.7.0, 2.6.1, 3.4.1, 3.6.0, 3.5.1
>            Reporter: Rafael Rios Saavedra
>            Assignee: Divij Vaidya
>            Priority: Major
>              Labels: CVE, security
>             Fix For: 2.8.0, 2.7.1, 2.6.2, 3.0.0
>
>
> CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version 
> {*}9.4.51{*}. For more information see 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] 
> Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to