Confluent Platform 5.5.4 contains security fixes for the following open source packages:
cryptography - CVE-2020-36242 (CVSS: 9.10)
The vulnerability is addressed in version 3.3.2 of cryptography. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 3.4.7.
jinja2 - CVE-2020-28493 (CVSS: 5.30)
The vulnerability is addressed in version 2.11.3 of jinja2. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 2.11.3.
pyyaml - CVE-2020-14343 (CVSS: 9.80)
The vulnerability is addressed in version 5.4 of pyyaml. Confluent Platform has resolved this CVE in release CP 5.5.4 by upgrading to version 5.4.1.
urllib3 - CVE-2020-26137 (CVSS: 6.50)
The vulnerability is addressed in version 1.25.9 of urllib3. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 1.26.4.
org.apache.activemq:activemq-client - CVE-2021-26117 (CVSS:7.50)
The vulnerability is addressed in version 5.15.14 of activemq-client. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 5.15.14.
org.bouncycastle:bcprov-jdk15on - CVE-2020-28052 (CVSS: 8.1)
The vulnerability is addressed in version 1.67 of bcprov-jdk15on. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 1.68.
com.google.oauth-client:google-oauth-client - CVE-2020-7692 (CVSS: 9.1)
The vulnerability is addressed in version 1.31.0. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 1.31.1.
org.hibernate.validator:hibernate-validator - CVE-2020-10693 (CVSS: 5.3)
The vulnerability is addressed in versions 6.0.19.Final, 6.1.3.Final of hibernate-validator. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 6.1.7.
org.apache.httpcomponents:httpclient - CVE-2020-13956 (CVSS: 5.30)
The vulnerability is addressed in versions 4.5.13 from httpclient. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 4.5.13.
com.fasterxml.jackson.core:jackson-databind - CVE-2020-25649 (CVSS: 7.5)
The vulnerability is addressed in version 2.10.5.1. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 2.10.5.1.
org.eclipse.jetty:jetty-io - CVE-2020-27218 (CVSS:4.80)
The vulnerability is addressed in version 9.4.35.v20201120 of jetty-io. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to versions 9.4.39.v20210325 and 9.4.40.v20210413.
org.eclipse.jetty:jetty-io - CVE-2020-27223 (CVSS:5.30)
The vulnerability is addressed in version 9.4.37.v20210219 of jetty-io. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to versions 9.4.39.v20210325 and 9.4.40.v20210413.
org.eclipse.jetty:jetty-io - CVE-2021-28165 (CVSS: 7.5)
The vulnerability is addressed in version 9.4.39 of jetty-io. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to versions 9.4.39.v20210325 and 9.4.40.v20210413.
org.eclipse.jetty:jetty-webapp - CVE-2021-28164 (CVSS: 5.3)
The vulnerability is addressed in version 9.4.39 of jetty-webapp. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to versions 9.4.39.v20210325 and 9.4.40.v20210413.
org.eclipse.jetty:jetty-deploy - CVE-2021-28163 (CVSS:2.70)
The vulnerability is addressed in version 9.4.39 of jetty-io. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to versions 9.4.39.v20210325.
kotlin-stdlib:kotlin-stdlib - CVE-2020-29582 (CVSS:5.30)
The vulnerability is addressed in 1.4.21 of kotlin-stdlib. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 1.4.21.
io.netty:netty-all - CVE-2021-21409 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.61.Final of netty-all. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 4.1.62.Final.
io.netty:netty-all - CVE-2021-21295 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.60.Final of netty-all. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 4.1.62.Final.
io.netty:netty-all - CVE-2021-21290 (CVSS: 5.5)
The vulnerability is addressed in version 4.1.59.Final of netty-all. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 4.1.62.Final.
org.postgresql:postgresql - CVE-2020-13692 (CVSS: 7.7) The vulnerability is addressed in version 42.2.13 of postgresql. Confluent Platform has resolved this CVE in release 5.5.4 by upgrading to version 42.2.19.
Confluent Platform 5.5.4 also contains the following security fixes:
- CONFSA-2021-01 (CVSS: 4.9) which is rated as a medium severity issue by Confluent. More information will be provided in an upcoming security advisory once all supported versions have an update available.