Critical Vulnerabilities found in release 4.0.2

[ricardoredondo]

While working with Kafdrop a few High and Critical vulnerabilities were found. Is it possible to get these vulnerabilities addressed

What vulnerabilities were found:

• {"service_name": "kafka-monitor", "package": "com.google.protobuf:protobuf-java", "version": "4.27.2", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-7254", "Severity": "HIGH"},
• {"service_name": "kafka-monitor", "package": "io.undertow:undertow-core", "version": "2.3.13.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-5971", "Severity": "HIGH"},
• {"service_name": "kafka-monitor", "package": "io.undertow:undertow-core", "version": "2.3.13.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-6162", "Severity": "HIGH"},
• {"service_name": "kafka-monitor", "package": "io.undertow:undertow-core", "version": "2.3.13.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-7885", "Severity": "HIGH"},
• {"service_name": "kafka-monitor", "package": "org.apache.avro:avro", "version": "1.11.3", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-47561", "Severity": "CRITICAL"},
• {"service_name": "kafka-monitor", "package": "org.apache.commons:commons-compress", "version": "1.21", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-25710", "Severity": "HIGH"},
• {"service_name": "kafka-monitor", "package": "org.jboss.xnio:xnio-api", "version": "3.8.8.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2023-5685", "Severity": "HIGH"},
• {"service_name": "kafka-monitor", "package": "org.springframework:spring-webmvc", "version": "6.1.10", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-38816", "Severity": "HIGH"}

How to retrieve the list of vulnerabilities: For this I used Trivy. Which is a popular open source security scanner for Vulnerability Trivy installation: https://aquasecurity.github.io/trivy/v0.57/getting-started/installation/ How to run it:

• $ mkdir tmp
• $ cd tmp
• $ wget -O kafdrop.jar https://github.com/obsidiandynamics/kafdrop/releases/download/4.0.2/kafdrop-4.0.2.jar
• $ trivy rootfs . --scanners vuln --severity HIGH,CRITICAL

Looking fw an update in this.

[Bert-R]

Do you mind running the same scan on the latest snapshot build? Then we know whether it would help to release the current snapshot.

[nickmarden]

I fired up the kafdrop-4.0.3-SNAPSHOT.jar image, copied the jar over to my local filesystem, and unpacked the jar contents for scanning:

[Nicks-Prodigious-MacBook-Pro]➜  tmp ls -al
total 0
drwxr-xr-x    5 nick  staff   160 Nov 22 13:07 .
drwxr-x---+ 182 nick  staff  5824 Nov 22 13:08 ..
drwxr-xr-x    6 nick  staff   192 Nov 22 12:12 BOOT-INF
drwxr-xr-x    7 nick  staff   224 Nov 22 12:12 META-INF
drwxr-xr-x    3 nick  staff    96 Jan 31  1980 org

[Nicks-Prodigious-MacBook-Pro]➜  tmp trivy rootfs . --scanners vuln --severity HIGH,CRITICAL
2024-11-22T13:08:10.400-0500    INFO    Vulnerability scanning is enabled
2024-11-22T13:08:10.427-0500    INFO    Number of language-specific files: 1
2024-11-22T13:08:10.427-0500    INFO    Detecting jar vulnerabilities...

[Nicks-Prodigious-MacBook-Pro]➜  tmp trivy rootfs . --scanners vuln
2024-11-22T13:08:16.572-0500    INFO    Vulnerability scanning is enabled
2024-11-22T13:08:16.602-0500    INFO    Number of language-specific files: 1
2024-11-22T13:08:16.602-0500    INFO    Detecting jar vulnerabilities...

Which might show that the new version solves the issue ? But I'm not sure. cc @ricardoredondo