Impacted Versions
- Confluent Platform versions <= 7.5.1, <= 7.4.2, <= CP 7.3.5, <= CP 7.2.7, <= CP 7.1.9, <=CP 7.0.11, <= CP 6.2.12, <= CP 6.1.13, <= CP 6.0.15
- Confluent Cloud managed clusters
Recommended Action
- Upgrade to CP versions 7.5.2, 7.4.3, 7.3.6, 7.2.8, 7.1.10, 7.0.12, 6.2.13, 6.1.14
- Please note that Confluent Cloud managed clusters were impacted by this vulnerability and are already fixed. No further action is necessary.
Issue
A security issue was identified to impact both Confluent Platform and Confluent Cloud managed clusters due to the reliance on vulnerable dependencies Jetty version 9.4.51 and Netty version 4.1.86 that are affected by CVE-2023-44487.
This vulnerability is due to the way HTTP/2 servers handle request cancellation that can lead to resource exhaustion. A malicious client can abuse the stream lifecycle of HTTP/2 connection and create a large number of requests that can be immediately canceled, creating resource exhaustion on the server handling these requests.
Remediation
Confluent Cloud managed clusters were already patched to address this issue.
This issue is resolved in the CP patch release versions 7.5.2, 7.4.3, 7.3.6, 7.2.8, 7.1.10, 7.0.12, 6.2.13, 6.1.14. These fixes adequately address this issue by updating the vulnerable libraries Jetty to version 9.4.53.Final and Netty to version 4.1.100.Final that effectively mitigate this vulnerability.