Confluent for Kubernetes (CFK) patch release version 2.8.5 contains fixes that resolve vulnerabilities in Confluent owned components and in various dependency versions depended upon by Confluent For Kubernetes components.
Security Vulnerabilities
This CFK release version did not include any upgrades related to exploitable security vulnerabilities
Resolved hygiene issues related to Open-Source dependencies
The following package upgrades are included in this release version and are made available to enhance the security hygiene of Confluent software, as no exploitable vector was identified for the CVEs present in impacted packages. We have provided the CVE identifier to assist customers with analysis
CVE |
CVSS | Impacted Package Version | Upgraded Package Version |
GHSA-h4gh-qq45-vh27 | 4 | cryptography < 43.0.1 | cryptography = 43.0.1 |
CVE-2024-47554 | NA |
commons-io:commons-io < 2.14.0 |
commons-io:commons-io = 2.14.0 |
This patch release version depends upon the following base OS image versions:
- Red Hat Universal Base Image 8 Minimal version 8.10-1086 for confluent-init-container image
- Red Hat Universal Base Image 8 Minimal version 8.10-1130 for confluent-operator image.