[MODSER-9] Upgrade kafka-clients from 2.3.0 to >= 3.6.0 fixing vulns Created: 15/Oct/23 Updated: 19/Oct/23 |
|
| Status: | Open |
| Project: | mod-serials-management |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Owen Stephens |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | K-Int |
| RCA Group: | Related dependency upgrade |
| Description |
|
Upgrade org.apache.kafka:kafka-clients from 2.3.0 to >= 3.6.0 fixing multiple security vulnerabilities: kafka-clients - Timing Attack - https://nvd.nist.gov/vuln/detail/CVE-2021-38153 The kafka-clients upgrade automatically upgrades snappy-java from 1.1.7.3 to 1.1.10.4 fixing these security vulnerabilities: snappy-java - Allocation of Resources Without Limits or Throttling - https://nvd.nist.gov/vuln/detail/CVE-2023-43642 snappy-java - Denial of Service (DoS) - https://nvd.nist.gov/vuln/detail/CVE-2023-34455 snappy-java - Integer Overflow or Wraparound - https://nvd.nist.gov/vuln/detail/CVE-2023-34453 , https://nvd.nist.gov/vuln/detail/CVE-2023-34454 |