BrijeshBurfal
commented
1 year ago @astubbs @bobby @rehevkor5 @mhowlett It would be great if anyone can have a look on this.
Open BrijeshBurfal opened 1 year ago
BrijeshBurfal
commented
1 year ago @astubbs @bobby @rehevkor5 @mhowlett It would be great if anyone can have a look on this.
janjwerner-confluent
commented
1 year ago @BrijeshBurfal Thank you for raising this issue. We expect that a), b) and c) will be resolved with the upcoming quarterly patch release. As for CVE-2022-1471 - this issue stems from insecure use of the snakeyaml library and cannot be resolved by simply updating the version of the dependency. We have evaluated the use of the snakeyaml library, and found no insecure usage instances in the Confluent Platform.
BrijeshBurfal
commented
1 year ago @janjwerner-confluent Thanks for acknowledging it. I also found few more vulnerability can you incorporate these too. vulnerable package:
fixed : cryptography v39.0.1 pip install cryptography
can we expect an bump up for this site package too as it has a critical vulnerability? CVE: CVE-2023-0286 CVE-2023-23931
RHSA-2023:0625 fix: v1.3.5-9.el8_7 RUN yum update libksba -y
janjwerner-confluent
commented
1 year ago @BrijeshBurfal Yes we expect to address those issues in the upcoming release.
tooptoop4
commented
1 year ago without waiting for release do u think dropping in snakeyaml-2.0 jar will work out of the box? or are java class changes needed too?
janjwerner-confluent
commented
1 year ago I strongly recommend against just dropping updated jar. This is a major version update so I expect compatibility issues. Can't say more without doing more testing.
Describe the bug In the Cp-schema-registry 6.1.9 and 7.3.1 docker hub image we used Aquasec security scanner to scan vulnerabilities found these Critical and High vulnerabilities in it.
We even tried doing these changes in our end by pulling the docker hub cp-schema image and doing upgrades and bump up of versions but the packages in images are not getting bumped up.
To Reproduce Pull the docker images from docker hub and Scan it using any security scanner (we used Aquasec security scanner)
https://hub.docker.com/layers/confluentinc/cp-schema-registry/7.3.1/images/sha256-e7a7c0b2d71f140467517094636357986a49586b12ce56919c67fc391145f929?context=explore
ISSUE AND POSSIBLE RESOLUTION
There was 10 Critical and 9High vulnerability coming from 4 packages with the multiple occurrence a) pip -> 1 high b) woodstox-core -> 4 high c) netty-codec-haproxy -> 4 high d) snakeyaml -> 10 Critical
a) pip CVE-2019-20916 /usr/lib/python3.6/site-packages/pip We can do pip3 install --upgrade pip command to resolve this pip issue from python3.16
b) Woodstox-core Woodstox-core need to be upgraded to v6.4.0 CVE: CVE-2022-40152 e.g: path: /usr/share/java/confluent-security/ksql/woodstox-core-6.3.1.jar /usr/share/java/acl/acl-7.3.1.jar
c) netty-codec-haproxy netty-codec-haproxy v4.1.79.Final.jar --> upgraded to v4.1.86Final CVE: CVE-2022-41881 e.g: path: usr/share/java/confluent-security/connect/netty-codec-haproxy-4.1.79.Final.jar
d) Snakeyaml CVE-2022-1471 There is an issue raised in snakeyaml mentioned here and will be fixed with new version of snake yaml: Refer this OPEN ISSUE IN SNAKEYAML https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
Expected behavior. woodstox-core ->6.4.0 pip-> upgrade in python 3.6 netty-codec-haproxy -> v4.1.86Final CVE-2022-41881 CVE-2022-40152 CVE-2022-1471 CVE-2019-20916 can be resolved.
We need to update these packages inorder to resolve security issues coming from these images.