[MODSER-9] Upgrade kafka-clients from 2.3.0 to >= 3.6.0 fixing vulns Created: 15/Oct/23  Updated: 19/Oct/23

Status: Open
Project: mod-serials-management
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Julian Ladisch Assignee: Owen Stephens
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: K-Int
RCA Group: Related dependency upgrade

 Description   

Upgrade org.apache.kafka:kafka-clients from 2.3.0 to >= 3.6.0 fixing multiple security vulnerabilities:

kafka-clients - Timing Attack - https://nvd.nist.gov/vuln/detail/CVE-2021-38153

The kafka-clients upgrade automatically upgrades snappy-java from 1.1.7.3 to 1.1.10.4 fixing these security vulnerabilities:

snappy-java - Allocation of Resources Without Limits or Throttling - https://nvd.nist.gov/vuln/detail/CVE-2023-43642

snappy-java - Denial of Service (DoS) - https://nvd.nist.gov/vuln/detail/CVE-2023-34455

snappy-java - Integer Overflow or Wraparound - https://nvd.nist.gov/vuln/detail/CVE-2023-34453 , https://nvd.nist.gov/vuln/detail/CVE-2023-34454


Generated at Thu Feb 08 22:31:00 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.