[KAFKA-14206] Upgrade zookeeper to 3.7.1 to address security vulnerabilities - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.2.1
Fix Version/s: 3.5.0
Component/s: packaging
Labels:
None

Description

Kafka 3.2.1 is using ZooKeeper, which is affected by CVE-2021-37136 and CVE-2021-37137:

  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.2.1 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final
  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.2.1 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final

The issues were fixed in the next versions of ZooKeeper (starting from 3.6.4). ZooKeeper 3.7.1 is the next stable release at the moment.

Attachments

Issue Links

links to

GitHub Pull Request #12620

Activity

People

Assignee:: Unassigned

Reporter:: Valeriy Kassenbayev

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 07/Sep/22 12:37

Updated:: 21/Aug/23 08:53

Resolved:: 21/Aug/23 08:53