I will try to report this as well. Thanks for pointing it out!
[image: Confluent] <https://www.confluent.io> Wu Shilin Solution Architect +6581007012 Follow us: [image: Blog] <https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image: Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] <https://www.linkedin.com/company/confluent/>[image: Slack] <https://slackpass.io/confluentcommunity>[image: YouTube] <https://youtube.com/confluent> [image: Kafka Summit] <https://www.kafka-summit.org/> On Fri, Jun 18, 2021 at 12:49 AM Elvis-ch1 <elvisgre...@yahoo.com.invalid> wrote: > Hello, i apologize if this is not the right email address to report > vulnerabilities to, couldn't find an email address here ( > https://github.com/apache/kafka/security ) to report vulnerabilities, > which is not usually the case. > > We happen to be using Kafka in our environment(source image= > https://quay.io/repository/strimzi/kafka?tab=tags), we recently updated > to latest-kafka-2.8.0 and our vulnerability scanners found the > following critical, high, and moderate vulnerabilities; > > ps: i did email the strimzi/kafka team and they highlighted that the > vulnerabilities mentioned below are from Apache Kafka, and strimzi only > provides tooling for running Apache Kafka on Kubernetes. > > CVE-2017-18640 vulnerability in org.yaml_snakeyaml 1.23 fixed in > snakeyaml 1.26 > > CVE-2020-29582 vulnerability in kotlin-stdlib_kotlin-stdlib 1.3.50 > fixed in kotlin 1.4.21 > > CVE-2021-29425 vulnerability in commons-io_commons-io 1.26 fixed in > apache-commons-io 2.7 > > CVE-2019-17571 vulnerability in log4j_log4j 1.2.17 fixed in log4j 2.8.2 > > CVE-2020-9488 vulnerability in log4j_log4j 1.2.17 fixed in log4j-2.13.2 > > CVE-2021-28168 vulnerability in jersey-2.31 fixed in jersey > 2.34, jersey 3.0.2 > > CVE-2021-26291 vulnerability in maven-3.6.3 fixed in maven 3.8.1 > > CVE-2021-28169 vulnerability in jetty-servlets-9.4.39.v20210325 fixed > in jetty 9.4.41, jetty 10.0.3, jetty 11.0.3 > > Please let me know when/if this vulnerabilities will be fixed/patched in > Apache Kafka > > Thanks. > > >
