search

apache / skywalking

APM, Application Performance Monitoring System
https://skywalking.apache.org/
Apache License 2.0
23.93k stars 6.53k forks source link

About CVE-2024-31141, upgrade Kafka lib dependency #12800

Closed Super-Lu closed 3 days ago

Super-Lu commented 3 days ago

Search before asking

Apache SkyWalking Component

Java Agent (apache/skywalking-java)

What happened

When using the kafka-reporter-plugin plugin, it was found that the referenced version 2.4.1 of kafka-clients contains the publicly disclosed security vulnerability CVE-2024-31141.

What you expected to happen

I hope to modify the kafka-reporter-plugin plugin's pom.xml file by updating the dependency version number for kafka-clients from 2.4.1 to 3.8.0. The code change is as follows: 3.8.0</kafka-clients.version>

How to reproduce

1.Clone the skywalking-java source code to a local directory, such as D:\code 2.Enter the directory D:\code\skywalking-java\apm-sniffer\optional-reporter-plugins 3.Open the pom.xml file and find the kafka-clients property tag 2.4.1</kafka-clients.version>

Anything else

No response

Are you willing to submit a pull request to fix on your own?

Code of Conduct

wu-sheng commented 3 days ago

You could open a PR to fix this easily. This is how we collaborate on GitHub. You don't need to submit an issue for that.

wu-sheng commented 3 days ago

The main question is, 2.4.1 to 3.8.0 Is this a compatible change? If not, you need to change codes to adopt those changes.

Super-Lu commented 3 days ago

You could open a PR to fix this easily. This is how we collaborate on GitHub. You don't need to submit an issue for that.

Thank you for your response, I will create a PR and submit the modifications as soon as possible.

wu-sheng commented 3 days ago

I remembered someone tried to do this, but as end in changing codes, he/she gave up.

lujiajing1126 commented 2 days ago

The main question is, 2.4.1 to 3.8.0 Is this a compatible change? If not, you need to change codes to adopt those changes.

Basically yes. But with some notable changes for the Producer.

wu-sheng commented 2 days ago

Further, whether this affects the consumer. Usually 2.x to 3.x upgrade is not that simple.