Confluent CVE Bulletin: v5.5.2

The following information is provided to alert you about vulnerabilities in Confluent software. For further inquiries, please email support@confluent.io or submit a ticket using the Support Portal.

Executive Summary

The following Confluent packages are known to have critical/high CVEs:

• com.fasterxml.jackson.core_jackson-databind:2.10.2
• com.fasterxml.jackson.core_jackson-databind:2.10.5
• com.fasterxml.jackson.core_jackson-databind:2.9.10
• io.netty_netty-codec:4.1.42.Final
• log4j_log4j:1.2.17
• org.apache.activemq_activemq-client:5.14.4
• org.eclipse.jetty_jetty-io:9.4.24.v20191120
• org.yaml_snakeyaml:1.23

The following sections provide more detailed information about specific packages and resolutions.

Confluent Platform

The Confluent Platform tar archive, and subsequent docker/deb/rpm packages are affected by the following known CVEs.

• com.fasterxml.jackson.core_jackson-databind:2.10.2

  • CVEs: CVE-2020-25649 (high, CVSS=7.5)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-enterprise-control-center, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-control-center-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-enterprise-kafka, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator-executable, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-kafka, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-connect-base, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-rest, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-schema-registry, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-schema-registry-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-server, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-base, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-server-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-zookeeper, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-zookeeper-operator, tags:5.5.2.0, 5.5.2.0-ubi8
  • Resolution and mitigation: Version 5.5.3 of Confluent Platform will update jackson-databind to 2.10.5.1, which resolves this vulnerability.

• com.fasterxml.jackson.core_jackson-databind:2.10.5

  • CVEs: CVE-2020-25649 (high, CVSS=7.5)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-base-new, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-deb9, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-deb9, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-deb9, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-control-center, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-control-center-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-enterprise-kafka, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator-executable, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-init-container-operator, tags:5.5.2.0-ubi8
    • confluentinc/cp-kafka, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-connect-base, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-mqtt, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-rest, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafkacat, tags:5.5.2-1-ubi8, 5.5.2-2-ubi8, 5.5.2-3-ubi8
    • confluentinc/cp-ksqldb-cli, tags:5.5.2, 5.5.2-1-deb9, 5.5.2-1-ubi8, 5.5.2-2-deb9, 5.5.2-2-ubi8, 5.5.2-3-deb9, 5.5.2-3-ubi8
    • confluentinc/cp-ksqldb-server, tags:5.5.2, 5.5.2-1-deb9, 5.5.2-1-ubi8, 5.5.2-2-deb9, 5.5.2-2-ubi8, 5.5.2-3-deb9, 5.5.2-3-ubi8
    • confluentinc/cp-ksqldb-server-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-schema-registry, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-schema-registry-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-server, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-base, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-server-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-zookeeper, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-zookeeper-operator, tags:5.5.2.0, 5.5.2.0-ubi8
  • Resolution and mitigation: Version 5.5.3 of Confluent Platform will update jackson-databind to 2.10.5.1, which resolves this vulnerability.

• com.fasterxml.jackson.core_jackson-databind:2.9.10

  • CVEs: CVE-2020-9548 (critical, CVSS=9.8) CVE-2020-9547 (critical, CVSS=9.8) CVE-2020-9546 (critical, CVSS=9.8) CVE-2020-8840 (critical, CVSS=9.8) CVE-2019-20330 (critical, CVSS=9.8) CVE-2019-17531 (critical, CVSS=9.8) CVE-2019-16943 (critical, CVSS=9.8) CVE-2019-16942 (critical, CVSS=9.8) CVE-2020-11113 (high, CVSS=8.8) CVE-2020-11112 (high, CVSS=8.8) CVE-2020-11111 (high, CVSS=8.8) CVE-2020-10969 (high, CVSS=8.8) CVE-2020-10968 (high, CVSS=8.8) CVE-2020-10673 (high, CVSS=8.8) CVE-2020-10672 (high, CVSS=8.8) CVE-2020-35491 (high, CVSS=8.1) CVE-2020-35490 (high, CVSS=8.1) CVE-2020-24750 (high, CVSS=8.1) CVE-2020-24616 (high, CVSS=8.1) CVE-2020-14195 (high, CVSS=8.1) CVE-2020-14062 (high, CVSS=8.1) CVE-2020-14061 (high, CVSS=8.1) CVE-2020-14060 (high, CVSS=8.1) CVE-2020-11620 (high, CVSS=8.1) CVE-2020-11619 (high, CVSS=8.1) CVE-2020-25649 (high, CVSS=7.5)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-kafka-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
  • Resolution and mitigation: Use the updated connect docker images with the tag 5.5.2-2-ubi8/5.5.2-2-deb8 or above, or use the tag 5.5.2, which always points to the latest docker release.

• io.netty_netty-codec:4.1.42.Final

  • CVEs: CVE-2020-11612 (critical, CVSS=9.8) CVE-2019-20445 (critical, CVSS=9.1) CVE-2019-20444 (critical, CVSS=9.1)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-kafka-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
  • Resolution and mitigation: Use the updated connect docker images with the tag 5.5.2-2-ubi8/5.5.2-2-deb8 or above, or use the tag 5.5.2, which always points to the latest docker release.

• log4j_log4j:1.2.17

  • CVEs: CVE-2019-17571 (critical, CVSS=9.8)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-kafka-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
  • Resolution and mitigation: Use the updated connect docker images with the tag 5.5.2-2-ubi8/5.5.2-2-deb8 or above, or use the tag 5.5.2, which always points to the latest docker release.

• org.apache.activemq_activemq-client:5.14.4

  • CVEs: CVE-2019-0222 (high, CVSS=7.5) CVE-2018-11775 (high, CVSS=7.4)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-kafka-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-operator, tags:5.5.2.0, 5.5.2.0-ubi8
  • Resolution and mitigation: Version 5.5.3 of Confluent Platform will include an updated version of ActiveMQ.

• org.eclipse.jetty_jetty-io:9.4.24.v20191120

  • CVEs: CVE-2020-27216 (high, CVSS=7.8)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-enterprise-control-center, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-control-center-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-enterprise-kafka, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator-executable, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-enterprise-replicator-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-kafka, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-connect-base, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-mqtt, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-kafka-rest, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-ksqldb-cli, tags:5.5.2, 5.5.2-1-deb9, 5.5.2-1-ubi8, 5.5.2-2-deb9, 5.5.2-2-ubi8, 5.5.2-3-deb9, 5.5.2-3-ubi8
    • confluentinc/cp-ksqldb-server, tags:5.5.2, 5.5.2-1-deb9, 5.5.2-1-ubi8, 5.5.2-2-deb9, 5.5.2-2-ubi8, 5.5.2-3-deb9, 5.5.2-3-ubi8
    • confluentinc/cp-ksqldb-server-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-schema-registry, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-schema-registry-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-server, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-base, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-server-connect-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-server-operator, tags:5.5.2.0, 5.5.2.0-ubi8
    • confluentinc/cp-zookeeper, tags:5.5.2, 5.5.2-1-deb8, 5.5.2-1-ubi8, 5.5.2-2-deb8, 5.5.2-2-ubi8, 5.5.2-3-deb8, 5.5.2-3-ubi8
    • confluentinc/cp-zookeeper-operator, tags:5.5.2.0, 5.5.2.0-ubi8
  • Resolution and mitigation: Version 5.5.3 of Confluent Platform will update Jetty to 9.4.33.v20201020, which resolves this vulnerability.

• org.yaml_snakeyaml:1.23

  • CVEs: CVE-2017-18640 (high, CVSS=7.5)
  • Vulnerable docker images and corresponding deb/rpm packages
    • confluentinc/cp-kafka-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
    • confluentinc/cp-server-connect, tags:5.5.2-1-deb8, 5.5.2-1-ubi8
  • Resolution and mitigation: Use the updated connect docker images with the tag 5.5.2-2-ubi8/5.5.2-2-deb8 or above, or use the tag 5.5.2, which always points to the latest docker release.