openssl vulnerabilities #4200
Comments
|
also librdkafka 2.0.2 uses libcurl version 7.86 which is also vulnerable as per https://curl.se/docs/vulnerabilities.html so it should be updated to the latest libcurl version. |
|
hi.. just writing to encourage this issue be resolved as soon as is practical. A lot banks won't allow its use until these are addressed. |
|
@pranavrth apart from LibCurl which has vulnerabilities and should be updated to latest 8.0.1 (See: https://curl.se/docs/vulnerabilities.html) OpenSSL had other vulnerabilities as recent as 23rd March (See https://www.openssl.org/news/vulnerabilities.html) |
|
I could see issue with even latest version of librdKafka (2.1.1). Currently, libcurl is leading to 4 CVE's, seems all of these would be fixed if we upgrade to libcurl version >= 8.1. We may need OpenSSL upgrade to 3.1.0 as well.
@emasab @pranavrth Considering that all of above are high severity CVE's can we please update these in upcoming version ? |
|
@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies. To use those: Python Go .NET (in .csproj) |
|
Looks like Open SSL just released a new version 3.1.1 https://github.com/openssl/openssl/releases/tag/openssl-3.1.1 |
|
Another vulnerability: CVE-2023-2650 |
Any update please? |
|
Another one: CVE-2023-4807 |
Hello @emasab , reaching out to check on openssl version update timeline. Would this be taken care as part of #4303? I am particularly interested in the librdkafka with updated openssl for Windows environment. |
|
Thank you for the report. We are in the process of resolving this issue. |
|
Request to Upgrade OpenSSL to Latest Version Hello Confluent Team, I would like to request an upgrade of the OpenSSL package bundled with Confluent Kafka. Currently, version 3.0.8 is being used, which has known vulnerabilities that can pose security risks. Upgrading to version 3.0.13 or later would greatly enhance security. Many users, including those utilizing the Datadog Agent, have flagged these vulnerabilities, and tools like Microsoft Defender have raised alerts regarding the presence of these outdated libraries. I believe this upgrade is crucial for maintaining the security and integrity of applications relying on Confluent Kafka. Thank you for considering this request. I look forward to your response. Best regards, |
Description
librdkafka uses OpenSSL 3 prior to 3.0.8 which is vulnerable:
[CVE-2023-0286] - https://nvd.nist.gov/vuln/detail/CVE-2023-0286/
[CVE-2022-4450] - https://nvd.nist.gov/vuln/detail/CVE-2022-4450/
[CVE-2023-0215] - https://nvd.nist.gov/vuln/detail/CVE-2023-0215/
How to reproduce
No need, vulnerable libraries are part of librdkafka
Checklist
Please provide the following information:
debug=..as necessary) from librdkafka - not neededThe text was updated successfully, but these errors were encountered: