The following information is provided to alert you about vulnerabilities in Confluent software. For further inquiries, please email support@confluent.io or submit a ticket using the Support Portal.
Executive Summary
The following Confluent packages are known to have critical/high CVEs:
- com.fasterxml.jackson.core_jackson-databind:2.10.2
- com.fasterxml.jackson.core_jackson-databind:2.10.5
- org.eclipse.jetty_jetty-io:9.4.20.v20190813
The following sections provide more detailed information about specific packages and resolutions.
Confluent Platform
The Confluent Platform tar archive, and subsequent docker/deb/rpm packages are affected by the following known CVEs.
com.fasterxml.jackson.core_jackson-databind:2.10.2
- CVEs: CVE-2020-25649 (high, CVSS=7.5)
- Vulnerable docker images and corresponding deb/rpm packages
- confluentinc/cp-kafka-connect, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server-connect, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- Resolution and mitigation: Subsequent 5.X.Y and 6.X.Y releases of the Confluent Platform will update jackson databind version to 2.10.5.1 or above.
com.fasterxml.jackson.core_jackson-databind:2.10.5
- CVEs: CVE-2020-25649 (high, CVSS=7.5)
- Vulnerable docker images and corresponding deb/rpm packages
- confluentinc/cp-base-new, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-deb9, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-control-center, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-kafka, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-replicator, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-replicator-executable, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-connect, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-connect-base, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-mqtt, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-rest, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafkacat, tags:5.4.3-1-ubi8
- confluentinc/cp-ksql-cli, tags:5.4.3, 5.4.3-1-deb9, 5.4.3-1-ubi8
- confluentinc/cp-ksql-server, tags:5.4.3, 5.4.3-1-deb9, 5.4.3-1-ubi8
- confluentinc/cp-schema-registry, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server-connect, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server-connect-base, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-zookeeper, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- Resolution and mitigation: Subsequent 5.X.Y and 6.X.Y releases of the Confluent Platform will update jackson databind version to 2.10.5.1 or above.
org.eclipse.jetty_jetty-io:9.4.20.v20190813
- CVEs: CVE-2020-27216 (high, CVSS=7.8)
- Vulnerable docker images and corresponding deb/rpm packages
- confluentinc/cp-enterprise-control-center, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-kafka, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-replicator, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-enterprise-replicator-executable, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-connect, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-connect-base, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-mqtt, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-kafka-rest, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-ksql-cli, tags:5.4.3, 5.4.3-1-deb9, 5.4.3-1-ubi8
- confluentinc/cp-ksql-server, tags:5.4.3, 5.4.3-1-deb9, 5.4.3-1-ubi8
- confluentinc/cp-schema-registry, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server-connect, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-server-connect-base, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- confluentinc/cp-zookeeper, tags:5.4.3, 5.4.3-1-deb8, 5.4.3-1-ubi8
- Resolution and mitigation: Subsequent 5.X.Y and 6.X.Y releases of the Confluent Platform will update jetty to version 9.4.33.v20201020 or above.
Version: 77ba16dd5f469fcf56253bdc01232c25446c4918