[
https://issues.apache.org/jira/browse/KAFKA-13518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17455192#comment-17455192
]
Dongjin Lee commented on KAFKA-13518:
-------------------------------------
The security problems on netty-codec were already fixed with KAFKA-13294. It
will be shipped with AK 3.1.0 and 3.0.1.
In the case of gson, this problem is introduced by spotbugs 4.2.2. [spotbugs
4.5.0|https://mvnrepository.com/artifact/com.github.spotbugs/spotbugs/4.5.0]
uses [gson
2.8.9|https://github.com/google/gson/releases/tag/gson-parent-2.8.9], which
[resolves|https://github.com/google/gson/pull/1991] WS-2021-0419 vulnerability.
> Update gson and netty-codec in 3.0.0
> ------------------------------------
>
> Key: KAFKA-13518
> URL: https://issues.apache.org/jira/browse/KAFKA-13518
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 3.0.0
> Reporter: Pavel Kuznetsov
> Priority: Major
> Labels: security
>
> *Describe the bug*
> I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out
> that some libraries have vulnerabilities.
> Here they are:
> * gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to
> upgrade to com.google.code.gson:gson:2.8.9
> * netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137
> vulnerabilities. The way to fix it is to upgrade to
> io.netty:netty-codec:4.1.68.Final
> *To Reproduce*
> Download kafka_2.13-3.0.0.tgz and find jars, listed above.
> Check that these jars with corresponding versions are mentioned in
> corresponding vulnerability description.
> *Expected behavior*
> * gson upgraded to 2.8.9 or higher
> * netty-codec upgraded to 4.1.68.Final or higher
> *Actual behaviour*
> * gson is 2.8.6
> * netty-codec is 4.1.65.Final
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
