confluentinc / confluent-kafka-dotnet

Confluent's Apache Kafka .NET client

https://github.com/confluentinc/confluent-kafka-dotnet/wiki

Apache License 2.0

52 stars 857 forks source link

The problem of security leaks of librdkafkda #1667

Closed liujiyuan closed 1 year ago

liujiyuan commented 3 years ago

Description

the current version of lz4(zlib v1.2.8:[CVE-2016-9840, CVE-2016-9842,CVE-2016-9843,CVE-2016-9841]) and openssl （v1.0.2r:CVE-2021-23840，v1.0.2o:CVE-2018-0732） has security leaks. need to upgrade lz4 to v1.2.11 and openssl to v1.1.1

How to reproduce

so how to upgrade lz4 and openssl? or could you upgrade and pack to nuget.org?Thanks.

Checklist

Please provide the following information:

[ ] A complete (i.e. we can run it), minimal program demonstrating the problem. No need to supply a project file.
[ ] Confluent.Kafka nuget version.
[ ] Apache Kafka version.
[ ] Client configuration.
[ ] Operating system.
[ ] Provide logs (with "debug" : "..." as necessary in configuration).
[ ] Provide broker log excerpts.
[ ] Critical issue.

mhowlett commented 3 years ago

cc: @edenhill

liujiyuan commented 3 years ago

When will you finish it? Thanks a lot! @edenhill @mhowlett

edenhill commented 3 years ago

This is being fixed for Windows builds by relying on vcpkgs for dependencies.

As for the v1.0.2 version of openssl is some of the builds; this is used on old Linux platforms (older centos) that don't have OpenSSL v1.1.1. These linux builds are used as fallbacks, the debian-based linux builds will have an up to date OpenSSL Version.

You can verify which OpenSSL version is used by setting debug=security and security.protocol=SSL in a test application.

curtspiteri commented 2 years ago

using Confluent.Kafka 1.9.0 seems to be using OpenSSL 1.1.1n which has several vulnerabilities which were fixed recently: https://www.openssl.org/news/vulnerabilities.html I know this since 'libcrypto-1_1-x64.dll' & 'libssl-1_1-x64' have that version.

Can this be upgraded to use the latest OpenSSL 1.1.1q that fixes these vulnerabilities? @edenhill I guess this has to be done in librdkafka first?

Also 'libcurl' version being used is 7.82 which as well has vulnerabilties: https://curl.se/docs/vulnerabilities.html Can this be upgraded to the latest 7.84. @edenhill again I think this needs to be fixed/upgraded in librdkafka first?

mhowlett commented 1 year ago

https://github.com/edenhill/librdkafka/releases/tag/v1.9.2

closing, though this is an ongoing battle (updating dependencies to address vulnerabilities). feel free to report future security issues directly on the librdkafka repo - the .net client will always depend on the latest librdkafka release.