Impacted Versions
- Confluent Platform versions < 7.6.1, < 7.5.4, < 7.4.5, < 7.3.8, < 7.2.10, < 7.1.12, < 7.0.14, < 6.2.15
Recommended Action
- Upgrade to Confluent Platform versions 7.6.1 7.5.4, 7.4.5, 7.3.8, 7.2.10, 7.1.12, 7.0.14, 6.2.15
Issue
A security issue was discovered in Confluent Platform due to the reliance on vulnerable Jetty web server version 9.4.53 that has been identified to be affected by CVE-2024-22201. This flaw is due to the way the Jetty handles the congestion in HTTP/2 connections. An unauthorized actor could create multiple connections that will not be handled correctly by the web server, leading to exhaustion of the file descriptors and eventually causing the web server to stop accepting new connections. This could result in the Kafka REST proxy failure to process new requests.
Remediation
This issue is resolved in Confluent Platform patch release versions 7.6.1, 7.5.4, 7.4.5, 7.3.8, 7.2.10, 7.1.12, 7.0.14, 6.2.15. These fixes adequately address this issue by upgrading the vulnerable Jetty library version to 9.4.54.
CVSS Score: 7.5
CVSS v3.1 Calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1