Confluent Platform 5.3.6 contains security fixes for the following open source packages:
CVE |
CVSS |
Vulnerable Package Version |
Upgraded Package Version |
9.8 |
org.apache.logging.log4j:log4j < 2.13.2 |
io.confluent:confluent-log4j:jar:1.2.17-cp2 |
|
9.1 |
cryptography < 3.3.2 |
cryptography:3.3.2 |
|
8.1 |
org.bouncycastle:bcprov-jdk15on < 1.67 |
org.bouncycastle:bcprov-jdk15on:1.68 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
7.5 |
urllib3 < 1.26.5 |
urllib3:1.26.6 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
6.5 |
urllib3 < 1.25.9 |
urllib3:1.26.6 |
|
5.3 |
org.eclipse.jetty:jetty-webapp < 9.4.43.v20210629 |
org.eclipse.jetty:jetty-webapp:9.4.43.v20210629 |
|
5.3 |
jinja < 2.11.3 |
jinja:2.11.3 |
|
5.3 |
org.eclipse.jetty:jetty-servlets < 9.4.41.v20210516 |
org.eclipse.jetty:jetty-servlets:9.4.43.v20210629 |
|
5.3 |
commons-io:commons-io < 2.7 |
commons-io:commons-io:2.7 |
|
4.2 |
pip < 21.1 |
pip:21.1 |
|
3.7 |
org.apache.logging.log4j:log4j < 2.13.2 |
org.apache.logging.log4j:log4j:2.13.2 |
|
3.5 |
org.eclipse.jetty:jetty-server < 9.4.41.v20210516 |
org.eclipse.jetty:jetty-server:9.4.43 |
|
3.3 |
com.google.guava:guava < 30.0-jre |
com.google.guava:guava:30.0-jre |
This release also contains the following security fixes:
- CVE-2021-38153 (CVSS: 6.8) which is rated as a Medium severity issue by Confluent. More details about this issue are available in this security advisory.
- CONFSA-2021-02 (CVSS: 8.6) which is rated as a High severity issue by Confluent. More information will be provided in an upcoming security advisory once all supported versions have an update available and once coordinated disclosure with impacted third-parties is complete.