Open romanb52 opened 1 year ago
curtspiteri
commented
1 year ago also librdkafka 2.0.2 uses libcurl version 7.86 which is also vulnerable as per https://curl.se/docs/vulnerabilities.html so it should be updated to the latest libcurl version.
senecaconsultancy
commented
1 year ago hi.. just writing to encourage this issue be resolved as soon as is practical. A lot banks won't allow its use until these are addressed. Thank you!
curtspiteri
commented
1 year ago @pranavrth apart from LibCurl which has vulnerabilities and should be updated to latest 8.0.1 (See: https://curl.se/docs/vulnerabilities.html)
OpenSSL had other vulnerabilities as recent as 23rd March (See https://www.openssl.org/news/vulnerabilities.html) I saw you upgraded to 3.0.8 in https://github.com/confluentinc/librdkafka/pull/4215 but I guess this needs to be 3.1.1 now once it's available.
Vikash08Mishra
commented
1 year ago I could see issue with even latest version of librdKafka (2.1.1). Currently, libcurl is leading to 4 CVE's, seems all of these would be fixed if we upgrade to libcurl version >= 8.1. We may need OpenSSL upgrade to 3.1.0 as well. Below CVEs shows in runtime of all platform distribution linux/windows.
@emasab @pranavrth Considering that all of above are high severity CVE's can we please update these in upcoming version ?
emasab
commented
1 year ago @Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.
To use those:
Python
pip install --no-binary :all: confluent-kafkaGo
go build -tags dynamic.NET (in .csproj)
<PackageReference Include="Confluent.Kafka" Version="2.1.1" />
<PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />
vdkranak
commented
1 year ago Looks like Open SSL just released a new version 3.1.1 https://github.com/openssl/openssl/releases/tag/openssl-3.1.1
romanb52
commented
1 year ago Another vulnerability: CVE-2023-2650
romanb52
commented
1 year ago @Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.
To use those:
Python
pip install --no-binary :all: confluent-kafkaGo
go build -tags dynamic.NET (in .csproj)
<PackageReference Include="Confluent.Kafka" Version="2.1.1" /> <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />
Any update please?
romanb52
commented
1 year ago Another one: CVE-2023-4807
vivek-datadog
commented
11 months ago Few more CVEs in openssl v3.0.8
vivek-datadog
commented
10 months ago @Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.
To use those:
Python
pip install --no-binary :all: confluent-kafkaGo
go build -tags dynamic.NET (in .csproj)
<PackageReference Include="Confluent.Kafka" Version="2.1.1" /> <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />
Hello @emasab , reaching out to check on openssl version update timeline. Would this be taken care as part of https://github.com/confluentinc/librdkafka/pull/4303? I am particularly interested in the librdkafka with updated openssl for Windows environment.
janjwerner-confluent
commented
6 months ago Thank you for the report. We are in the process of resolving this issue. Please see: https://github.com/confluentinc/librdkafka/pull/4706
dpey2mtl
commented
2 months ago Request to Upgrade OpenSSL to Latest Version
Hello Confluent Team,
I would like to request an upgrade of the OpenSSL package bundled with Confluent Kafka. Currently, version 3.0.8 is being used, which has known vulnerabilities that can pose security risks. Upgrading to version 3.0.13 or later would greatly enhance security.
Many users, including those utilizing the Datadog Agent, have flagged these vulnerabilities, and tools like Microsoft Defender have raised alerts regarding the presence of these outdated libraries.
I believe this upgrade is crucial for maintaining the security and integrity of applications relying on Confluent Kafka.
Thank you for considering this request. I look forward to your response.
Best regards, Didier
janjwerner-confluent
commented
2 months ago @dpey2mtl Please see https://github.com/confluentinc/librdkafka/issues/4786. The discussion about openssl is continued there. cc @milindl @emasab
Description
librdkafka uses OpenSSL 3 prior to 3.0.8 which is vulnerable: [CVE-2023-0286] - https://nvd.nist.gov/vuln/detail/CVE-2023-0286/ [CVE-2022-4450] - https://nvd.nist.gov/vuln/detail/CVE-2022-4450/ [CVE-2023-0215] - https://nvd.nist.gov/vuln/detail/CVE-2023-0215/
How to reproduce
No need, vulnerable libraries are part of librdkafka
Checklist
Please provide the following information:
debug=..as necessary) from librdkafka - not needed