[KAFKA-12869] Update vulnerable dependencies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.7.1
Fix Version/s: None
Component/s: connect, core
Labels:
- security

Description

Description
I checked kafka_2.13-2.7.1.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
Here they are:

jetty-io-9.4.38.v20210224.jar has CVE-2021-28165 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-io:9.4.39 or org.eclipse.jetty:jetty-io:10.0.2 or org.eclipse.jetty:jetty-io:11.0.2
jersey-common-2.31.jar has CVE-2021-28168 vulnerability. The way to fix it is to upgrade to org.glassfish.jersey.core:jersey-common:2.34
jetty-server-9.4.38.v20210224.jar has CVE-2021-28164 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-webapp:9.4.39

To Reproduce
Download kafka_2.13-2.7.1.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.

Expected

jetty-io upgraded to 9.4.39 or higher
jersey-common upgraded to 2.34 or higher
jetty-server upgraded to jetty-webapp:9.4.39 or higher

Actual

jetty-io is 9.4.38
jersey-common is 2.31
jetty-server is 9.4.38

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Pavel Kuznetsov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 31/May/21 17:22

Updated:: 01/Jun/21 04:47