Confluent Platform patch release version 7.2.6 contains fixes that resolve vulnerabilities in Confluent owned components and in various dependency versions depended upon by Confluent Platform components.
Security Vulnerabilities
The following vulnerabilities were fixed in this update:
CVE Reference | CVSS | Impacted Package | Remediation |
CVE-2023-34455 | 7.5 | org.xerial.snappy:snappy-java |
Update to CP 7.2.6 More information published in CONFSA-2023-06 |
CVE-2023-34454 | 5.9 | org.xerial.snappy:snappy-java |
Update to CP 7.2.6 More information published in CONFSA-2023-06 |
CVE-2023-34453 | 5.9 | org.xerial.snappy:snappy-java |
Update to CP 7.2.6 More information published in CONFSA-2023-06 |
Resolved hygiene issues related to Open-Source dependencies
The following package upgrades are included in this release version and are made available to enhance the security hygiene of Confluent software, as no exploitable vector was identified for the CVEs present in impacted packages. We have provided the CVE identifier to assist customers with analysis.
CVE | CVSS | Impacted Package Version | Upgraded Package Version |
CVE-2022-1471 | 9.8 | org.yaml_snakeyaml < 2.0 | org.yaml_snakeyaml:2.0 |
7.5 | org.json.json < 20230227 | org.json.json:20230227 | |
CVE-2023-1370 | 7.5 | net.minidev:json-smart < 2.4.9 | net.minidev:json-smart:2.4.10 |
CVE-2021-41973 | 6.5 | org.apache.mina-core < 2.0.22 | org.apache.mina-core:2.0.22 |
CVE-2023-26048 | 5.3 | org.eclipse.jetty:jetty-server < 9.4.51 | org.eclipse.jetty:jetty-server:9.4.51 |
CVE-2023-26049 | 5.3 | org.eclipse.jetty:jetty-server < 9.4.51 | org.eclipse.jetty:jetty-server:9.4.51 |
GHSA-jgvc-jfgh-rjvv | N/A | org.bitbucket.b_c:jose4j < 0.9.3 | org.bitbucket.b_c:jose4j:0.9.3 |