search

confluentinc / schema-registry

Confluent Schema Registry for Kafka
https://docs.confluent.io/current/schema-registry/docs/index.html
Other
2.16k stars 1.1k forks source link

io.confluent:kafka-json-schema-serializer:7.5.1 includes 3 party library with critical vulnerability #2960

Open maciejadamski0 opened 4 months ago

maciejadamski0 commented 4 months ago

Hi, The library that contains serializers/deserializers for json schema contains a critical vulnerability. We tried to exclude from packages but then sending messages on kafka does not work.

com.kjetland:mbknor-jackson-jsonschema is not publish newer version since 2020.

Screenshot 2024-02-07 at 09 00 52

People reported errors and created merge requests to correct these problems, but the author did not respond. It looks like the library is simply no longer supported.

Are you able to replace this particular library with a newer solution that has support and does not contain critical vulnerabilities?

Screenshot 2024-02-07 at 09 37 38

janjwerner-confluent commented 4 months ago

@maciejadamski0 Can you try to override the version of scala-library that is brought into your project using the dependency management? If you look at the current 7.5.x dependency tree, you should notice that an updated version of kafka and scala jars. [INFO] --- dependency:3.3.0:tree (default-cli) @ kafka-json-schema-serializer --- [INFO] io.confluent:kafka-json-schema-serializer:jar:7.5.4-0 [INFO] +- org.apache.kafka:kafka_2.13:jar:7.5.4-10-ccs:provided [INFO] | +- org.apache.kafka:kafka-clients:jar:7.5.4-10-ccs:compile [INFO] | | +- com.github.luben:zstd-jni:jar:1.5.5-1:runtime [INFO] | | +- org.lz4:lz4-java:jar:1.8.0:runtime [INFO] | | \- org.xerial.snappy:snappy-java:jar:1.1.10.5:runtime [INFO] | +- org.scala-lang:scala-library:jar:2.13.10:compile

maciejadamski0 commented 4 months ago

@janjwerner-confluent Sorry, I'm not a Scala expert, but my understanding of this language works on the principle that if we have this library https://mvnrepository.com/artifact/com.kjetland/mbknor-jackson-jsonschema_2.13/1.0.39 This library indicates which version of Scala it was written for or information is in the table ("Scala Target"). It may happen that the library stops working or behaving correctly. The mbknor-jsonschema library itself contains many vulnerabilities and will probably become quite dangerous to use soon. Do you have a plan to change this library in the upcoming releases?

janjwerner-confluent commented 2 months ago

@maciejadamski0 I'm not aware of the current plans to replace the library. Override of the scala library has passed all the tests we have for schema registry. You mentioned "The mbknor-jsonschema library itself contains many vulnerabilities " - can you point me to the those vulnerabilities?

maciejadamski0 commented 2 months ago

Hi @janjwerner-confluent Mvn central repository link: https://mvnrepository.com/artifact/com.kjetland/mbknor-jackson-jsonschema_2.13/1.0.39 ++ copied list of vulnerabilities from dependency: CVE-2023-6378 CVE-2022-42004 CVE-2022-42003 CVE-2022-36944 CVE-2021-46877 CVE-2020-36518 CVE-2020-25649

Override of the scala library has passed all the tests we have for schema registry.

I will try this action and let you know if it helped in our case.

janjwerner-confluent commented 2 months ago

@maciejadamski0 Were you able to resolve the issue?