Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-12389

Upgrade of netty-codec due to CVE-2021-21290

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.0
    • Fix Version/s: 2.8.0, 2.7.1, 2.6.2
    • Component/s: security
    • Labels:
      None

      Description

      Our security tool raised the following security flaw on kafka 2.7: https://nvd.nist.gov/vuln/detail/CVE-2021-21290

      It is a vulnerability related to jar netty-codec-4.1.51.Final.jar.

      Looking at source code, the netty-codec in trunk and 2.7.0 branches are still vulnerable.

      Based on netty issue tracker, the vulnerability is fixed in 4.1.59.Final: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              dongjin Dongjin Lee
              Reporter:
              dominique Dominique Mongelli

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment