Skip to main content

Confluent Security Advisory (CONFSA) Publication Policy

  • Updated

Scope

Supported versions of Confluent Platform, Confluent for Kubernetes (CFK), Confluent-supported Connectors, and Confluent Cloud.  

Policy

Confluent publishes security release notes for patch releases as well as Confluent Security Advisories (CONFSAs) for exploitable vulnerabilities in adherence to the conditions specified in this policy. This policy details the criteria for when a CONFSA will be published. Confluent aims to keep our customers safe and secure by mitigating the risk of software vulnerabilities in all Confluent software. In order to achieve this, Confluent software follows a risk-aligned vulnerability management program that includes the following security diligence activities on a periodic basis:

  • The Confluent security team continuously monitors and promptly responds to all vulnerability reports from the security community sent in via the security@confluent.io email address.
  • The security team at Confluent regularly triage vulnerabilities arising in open source software in order to assess impact and perform exploitability analysis for Confluent software.  
  • Confluent software is scanned by commercial tools to regularly identify CVEs in 3rd party dependencies on a regular basis.
  • Confluent code is also scanned using a commercial static code analysis tool that helps with variant and taint analysis in order to identify various categories of security issues through regular SAST scans.
  • Confluent web application components undergo manual penetration testing and automated dynamic analysis on a quarterly basis.

Confluent leverages the CVSS 3.1 calculator to assign severity ratings for any identified issues. Any findings resulting from these activities are triaged in a time sensitive manner and are further classified and accordingly remediated in one of the following classes of issues:

Class

Description

Remediation

Vulnerabilities

Exploitable software bugs in Confluent software or included third-party dependencies that can result in a loss of confidentiality, integrity or availability of customer data or within the underlying hosting platform by the use of Confluent software. Exploitability is determined by Confluent security engineer’s analysis of suspected or reported vulnerabilities.

Based on CVSS severity:

  • Critical (CVSS 9.0 - 10.0) - Fix available as soon as possible

  • High (CVSS ​​7.0 - 8.9) - Fix available in 30 days

  • Medium (CVSS 4.0 - 6.9) - Fix available in 90 days

  • Low(CVSS 0.1 - 3.9) - Fix available in 180 days

For vulnerabilities that represent Medium or higher severities, Confluent issues a CONFSA (Confluent Security Advisory) at Security Advisories and Security Release Notes – Confluent Support Portal for transparency that provides detailed information about the vulnerability, CVSS calculations, impact and remediation efforts.

For vulnerabilities that are Low or Informational severity, Confluent will use its own discretion based on risk to customers to determine whether or not to issue a security advisory or include information in the patch release notes.

Security Hygiene Bug Fixes

Following the initial triage of a reported vulnerability in a third-party dependency and the determination that there is no known exploitable path, Confluent will characterize the issue as a candidate for a security hygiene fix. Hygiene fixes take place with regular frequency out of an abundance of caution, but need appropriate testing and compatibility analysis.

Confluent Platform docker images are based on Red Hat UBI 8 Operating system image. Base OS image upgrades are based upon Red Hat security guidance and patches. Confluent does not remove or modify OS packages for hygiene fixes.

Fixes for all CVSS severities in this category are published through quarterly patch releases unless determined to be exploitable. 

Security release notes are published at Security Advisories and Security Release Notes – Confluent Support Portal for every patch release version per released version of CP and CFK software. CVE inclusion in these notes does not imply exploitability or presence of a vulnerability. 

Note: Security patch release notes for hygiene issues are only available for Confluent Platform and Confluent for Kubernetes software. Confluent does not issue security release notes for hygiene bug fixes in Confluent Cloud and Connectors at this time.

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles