Open eric-w-hart opened 3 years ago
Similar vulns have also been found in cp-server.
These were also found using Twistlock container scanner .
python | high | pip version 9.0.3 has 1 vulnerability.Show details |
---|---|---|
jar | high | com.fasterxml.jackson.dataformat_jackson-dataformat-cbor version 2.10.5 has 1 vulnerability.Show details |
jar | medium | io.netty_netty-codec version 4.1.50.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-codec version 4.1.59.Final has 2 vulnerabilities.Show details |
jar | medium | io.netty_netty-codec version 4.1.49.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-codec version 4.1.48.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-all version 4.1.59.Final has 2 vulnerabilities.Show details |
jar | low | org.eclipse.jetty_jetty-io version 9.4.38.v20210224 has 1 vulnerability.Show details |
jar | low | commons-codec_commons-codec version 1.11 has 1 vulnerability.Show details |
jar | low | com.google.guava_guava version 28.1-jre has 1 vulnerability.Show details |
jar | low | com.google.guava_guava version 26.0-jre has 1 vulnerability. |
Similar vulns also exist for cp-schema-registry
python | high | pip version 9.0.3 has 1 vulnerability.Show details |
---|---|---|
jar | high | com.fasterxml.jackson.dataformat_jackson-dataformat-cbor version 2.10.5 has 1 vulnerability.Show details |
jar | medium | io.netty_netty-codec version 4.1.49.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-codec version 4.1.48.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-codec version 4.1.50.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-codec version 4.1.47.Final has 3 vulnerabilities.Show details |
jar | medium | io.netty_netty-all version 4.1.59.Final has 2 vulnerabilities.Show details |
jar | medium | com.squareup.okhttp3_okhttp version 3.9.0 has 1 vulnerability.Show details |
jar | low | org.eclipse.jetty_jetty-io version 9.4.38.v20210224 has 1 vulnerability.Show details |
jar | low | commons-codec_commons-codec version 1.11 has 1 vulnerability.Show details |
jar | low | com.google.guava_guava version 28.1-jre has 1 vulnerability. |
Eric, Thank you for raising this issue. Confluent Platform updates (including image upgrades) are made available on a quarterly cadence. The issues have been addressed at this point in time.
While performing a container scan of this image using Twistlock, 6 vulnerabilities were found.
[ ] - The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
[ ] - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
[ ] - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by
Http2MultiplexHandler
as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest
,HttpContent
, etc.) viaHttp2StreamFrameToHttpObjectCodec
and then sent up to the child channel\'s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true:HTTP2MultiplexCodec
orHttp2FrameCodec
is used,Http2StreamFrameToHttpObjectCodec
is used to convert to HTTP/1.1 objects[ ] - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\'s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty\'s \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.
[ ] - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
[ ] - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by
Http2MultiplexHandler
as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest
,HttpContent
, etc.) viaHttp2StreamFrameToHttpObjectCodec
and then sent up to the child channel\'s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true:HTTP2MultiplexCodec
orHttp2FrameCodec
is used,Http2StreamFrameToHttpObjectCodec
is used to convert to HTTP/1.1 objects