Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-13048

Update vulnerable dependencies in 2.8.0

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 2.8.0
    • None
    • core, KafkaConnect

    Description

      *Describe the bug*
      I checked kafka_2.13-2.8.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
      Here they are:

      • jetty-http-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-http:9.4.41.v20210516
      • jetty-server-9.4.40.v20210413.jar has CVE-2021-28169 and CVE-2021-34428 vulnerabilities. The way to fix it is to upgrade to org.eclipse.jetty:jetty-server:9.4.41.v20210516
      • jetty-servlets-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-servlets:9.4.41.v20210516

      *To Reproduce*
      Download kafka_2.13-2.8.0.tgz and find jars, listed above.
      Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.

      *Expected behavior*

      • jetty-http upgraded to 9.4.41.v20210516 or higher
      • jetty-server upgraded to 9.4.41.v20210516 or higher
      • jetty-servlets upgraded to 9.4.41.v20210516 or higher

      *Actual behaviour*

      • jetty-http is 9.4.40.v20210413
      • jetty-server is 9.4.40.v20210413
      • jetty-servlets is 9.4.40.v20210413

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              pavel-sbor Pavel Kuznetsov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: