janjwerner-confluent
commented
1 year ago Thank you @cedricAI23 We are aware of this issue. The AppSec team verified that there are no insecure uses of SnakeYaml in Confluent Platform and we plan to update this dependency to 2.0. Unfortunately, the change is backwards incompatible and may require additional time to be processed.
The following image is vulnerable to CVE-2022-1471 Please provide a resolution:
trivy image confluentinc/cp-kafka-connect:6.2.9 | grep CVE-2022-1471 2023-03-27T15:21:43.502-0400 INFO Vulnerability scanning is enabled 2023-03-27T15:21:43.502-0400 INFO Secret scanning is enabled 2023-03-27T15:21:43.502-0400 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-03-27T15:21:43.502-0400 INFO Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection 2023-03-27T15:21:44.363-0400 INFO Detected OS: redhat 2023-03-27T15:21:44.363-0400 INFO Detecting RHEL/CentOS vulnerabilities... 2023-03-27T15:21:44.404-0400 INFO Number of language-specific files: 2 2023-03-27T15:21:44.404-0400 INFO Detecting python-pkg vulnerabilities... 2023-03-27T15:21:44.406-0400 INFO Detecting jar vulnerabilities... 2023-03-27T15:21:44.461-0400 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. 2023-03-27T15:21:44.465-0400 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. │ org.yaml:snakeyaml (acl-6.2.9.jar) │ CVE-2022-1471 │ CRITICAL │ 1.31 │ 2.0 │ SnakeYaml: Constructor Deserialization Remote Code Execution │ │ org.yaml:snakeyaml (jmx_prometheus_javaagent-0.17.2.jar) │ CVE-2022-1471 │ CRITICAL │ 1.32 │ 2.0 │ SnakeYaml: Constructor Deserialization Remote Code Execution │