Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-14206

Upgrade zookeeper to 3.7.1 to address security vulnerabilities

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 3.2.1
    • 3.5.0
    • packaging
    • None

    Description

      Kafka 3.2.1 is using ZooKeeper, which is affected by CVE-2021-37136 and CVE-2021-37137:

        ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.2.1 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final
  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.2.1 > org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final

      The issues were fixed in the next versions of ZooKeeper (starting from 3.6.4). ZooKeeper 3.7.1 is the next stable release at the moment.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            sk1talets Valeriy Kassenbayev
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment