schema-registry uses vulnerable dependencies

[pavel-sbor]

Description I checked confluent kafka 5.5.1 distribution with WhiteSource and find out that some libraries have vulnerabilities. Here they are:

• log4j-1.2.17.jar has CVE-2019-17571 and CVE-2020-9488 vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2

• snakeyaml-1.24.jar has CVE-2017-18640 vulnerability. The way to fix it is to upgrade to 1.26 version

• hibernate-validator-6.0.17.Final.jar has CVE-2019-10219 and CVE-2020-10693 vulnerabilities. The way to fix it is to upgrade to org.hibernate.validator:hibernate-validator:6.0.20.Final

• guava-24.0-jre.jar has CVE-2018-10237 vulnerability. The way to fix it is to upgrade to 24.1.1-jre version (kafka-serde-tools uses this library too)

To Reproduce Download Confluent Kafka 5.5.1 distribution (for example curl -O http://packages.confluent.io/archive/5.5/confluent-community-5.5.1-2.12.tar.gz) Open share/java/schema-registry folder in it and find jars, listed above. Open share/java/kafka-serde-tools folder in it and find guava-24.0-jre.jar. Check that these jars with corresponding versions are mentioned in corresponding vulnerability description (for example, on https://nvd.nist.gov/vuln/detail/CVE-2019-17571 log4j 1.2.17 is mentioned in "Known Affected Software Configurations" list)

Expected behavior

• log4j upgraded to log4j-core:2.13.2 or higher

• snakeyaml upgraded to 1.26 or higher

• hibernate-validator upgraded to 6.0.20.Final or higher

• guava upgraded to 24.1.1-jre or higher (for kafka-serde-tools too)

Actual behaviour

• log4j is 1.2.17

• snakeyaml is 1.24

• hibernate-validator is 6.0.17.Final

• guava is 24.0-jre

Additional context

[OneCricketeer]

I'm not entirely sure these are isolated dependencies in this repo. confluent-common is where they exist

log4j 1.2 is part of Apache Kafka, and there already is an open JIRA for it

Guava and Hibernate Validator might be used in Kafka. Cannot recall

I'm not entirely sure where snakeyaml is used, if anywhere. Could probably be excluded

[billwenboli]

We also found a few other vulnerabilities: netty-codec: need to upgrade to 4.1.46 from 4.1.42 woodstox-core: need to upgrade to 5.3.0 from 5.0.3 These two are all part of hadoop-common. Upgrading hadoop-common to the latest version does not upgrade the above two.

[janjwerner-confluent]

Pavel, Thank you for raising this issue. The CVE has been addressed with the update of the respective packages. As for log4j - based on the product Confluent ships either a custom in-house built non vulnerable version or reload4j. For more information please refer to https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory We recommend using the latest release 5.5.11 http://packages.confluent.io/archive/5.5/confluent-5.5.11-2.12.zip