confluentinc / kafka-images

Confluent Docker images for Apache Kafka
Apache License 2.0
27 stars 137 forks source link

Latest Image for CP-Zookeeper has multiple vulnerabilities #84

Open eric-w-hart opened 3 years ago

eric-w-hart commented 3 years ago

While performing a container scan of this image using Twistlock, 6 vulnerabilities were found.

eric-w-hart commented 3 years ago

Similar vulns have also been found in cp-server.
These were also found using Twistlock container scanner .

python high pip version 9.0.3 has 1 vulnerability.Show details
   
jar high com.fasterxml.jackson.dataformat_jackson-dataformat-cbor version 2.10.5 has 1 vulnerability.Show details
   
jar medium io.netty_netty-codec version 4.1.50.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-codec version 4.1.59.Final has 2 vulnerabilities.Show details
   
jar medium io.netty_netty-codec version 4.1.49.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-codec version 4.1.48.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-all version 4.1.59.Final has 2 vulnerabilities.Show details
   
jar low org.eclipse.jetty_jetty-io version 9.4.38.v20210224 has 1 vulnerability.Show details
   
jar low commons-codec_commons-codec version 1.11 has 1 vulnerability.Show details
   
jar low com.google.guava_guava version 28.1-jre has 1 vulnerability.Show details
   
jar low com.google.guava_guava version 26.0-jre has 1 vulnerability.
eric-w-hart commented 3 years ago

Similar vulns also exist for cp-schema-registry

python high pip version 9.0.3 has 1 vulnerability.Show details
   
jar high com.fasterxml.jackson.dataformat_jackson-dataformat-cbor version 2.10.5 has 1 vulnerability.Show details
   
jar medium io.netty_netty-codec version 4.1.49.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-codec version 4.1.48.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-codec version 4.1.50.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-codec version 4.1.47.Final has 3 vulnerabilities.Show details
   
jar medium io.netty_netty-all version 4.1.59.Final has 2 vulnerabilities.Show details
   
jar medium com.squareup.okhttp3_okhttp version 3.9.0 has 1 vulnerability.Show details
   
jar low org.eclipse.jetty_jetty-io version 9.4.38.v20210224 has 1 vulnerability.Show details
   
jar low commons-codec_commons-codec version 1.11 has 1 vulnerability.Show details
   
jar low com.google.guava_guava version 28.1-jre has 1 vulnerability.
janjwerner-confluent commented 2 years ago

Eric, Thank you for raising this issue. Confluent Platform updates (including image upgrades) are made available on a quarterly cadence. The issues have been addressed at this point in time.