Confluent Platform 5.4.4 contains security fixes for the following open source packages:
cryptography - CVE-2020-36242 (CVSS: 9.1)
The vulnerability is addressed in version 3.3.2 of cryptography. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 3.4.7.
jinja2 - CVE-2020-28493 (CVSS: 5.3)
The vulnerability is addressed in version 2.11.3 of jinja2. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 2.11.3.
pyyaml - CVE-2020-14343 (CVSS: 9.8)
The vulnerability is addressed in version 5.4 of pyyaml. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 5.4.1.
urllib3 - CVE-2020-26137 (CVSS: 6.5)
The vulnerability is addressed in version 1.25.9 of urllib3. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 1.26.4.
org.apache.activemq:activemq-client - CVE-2020-13947 (CVSS: 6.1)
The vulnerability is addressed in versions 5.16.1 and 5.15.14 of activemq-client. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 5.16.1.
org.apache.activemq:activemq-client - CVE-2021-26117 (CVSS: 7.5)
The vulnerability is addressed in version 5.16.1, 5.15.14 of activemq-client. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 5.16.1.
org.apache.httpcomponents:httpclient - CVE-2020-13956 (CVSS: 5.3)
The vulnerability is addressed in version 4.5.13 of httpclient. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 4.5.13.
com.fasterxml.jackson.core:jackson-databind - CVE-2020-25649 (CVSS: 7.5) The vulnerability is addressed in version 2.10.5.1 of jackson-databind. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 2.10.5.1.
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor - CVE-2020-28491 (CVSS: 7.5)
The vulnerability is addressed in versions 2.11.4 and 2.12.1 of jackson-dataformat-cbor. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 2.11.4.
org.glassfish.jersey.core:jersey-common - CVE-2021-28168 (CVSS: 5.5)
The vulnerability is addressed in versions 3.0.2 and 2.34 of jersey-common. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 2.34.
org.eclipse.jetty:jetty-webapp - CVE-2020-27216 (CVSS: 7.0)
The vulnerability is addressed in version 9.4.33.v20201020 of jetty-webapp. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to versions 9.4.39.v20210325, 9.4.40.v20210413.
org.eclipse.jetty:jetty-server- CVE-2020-27218 (CVSS: 4.8)
The vulnerability is addressed in version 9.4.35.v20201120 of jetty-server. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to versions 9.4.39.v20210325, 9.4.40.v20210413.
org.eclipse.jetty:jetty-server- CVE-2020-27223 (CVSS: 5.3)
The vulnerability is addressed in version 9.4.37.v20210219 of jetty-server. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to versions 9.4.39.v20210325, 9.4.40.v20210413.
org.eclipse.jetty:jetty-io - CVE-2021-28165 (CVSS: 7.5)
The vulnerability is addressed in version 9.4.39 of jetty-io. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to versions 9.4.39.v20210325, 9.4.40.v20210413.
org.eclipse.jetty:jetty-webapp - CVE-2021-28164 (CVSS: 5.3)
The vulnerability is addressed in version 9.4.39 of jetty-webapp. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to versions 9.4.39.v20210325, 9.4.40.v20210413.
org.postgresql:postgresql - CVE-2020-13692 (CVSS: 7.7)
The vulnerability is addressed in version 42.2.13 of postgresql. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 42.2.19.
io.netty:netty-codec-http2- CVE-2021-21409 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.61.Final of netty-codec-http2. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 4.1.62.final.
io.netty:netty-codec-http2- CVE-2021-21295 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.60.Final of netty-codec-http2. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 4.1.62.Final.
io.netty:netty-codec-http- CVE-2021-21290 (CVSS: 5.5)
The vulnerability is addressed in version 4.1.59.Final of netty-codec-http. Confluent Platform has resolved this CVE in release 5.4.4 by upgrading to version 4.1.62.Final.
Confluent Platform 5.4.4 also contains the following security fix:
- CONFSA-2021-01 (CVSS: 4.9) which is rated as a Medium severity issue by Confluent. More details about this issue are available in this security advisory.