Confluent Platform 5.3.8 contains security fixes for the following open source packages:
Resolved CVEs related to Open-Source Dependencies
CVE |
CVSS |
Vulnerable Package Version |
Upgraded Package Version |
6.5 |
io.netty:netty-codec-http < 4.1.71 |
io.netty:netty-codec-http:4.1.7 |
Hardening of Confluent’s fork of Log4j
CVE |
CVSS |
Vulnerable Package Version |
Upgraded Package Version |
Applicable fix on Confluent’s fork of Log4j |
9.8 |
confluent-log4j <= 1.2.17-cp2.1 |
confluent-log4j: 1.2.17-cp2.2 |
Confluent Platform code and its use of a private fork of Log4j v1.x was not identified to be vulnerable to this CVE. Out of an abundance of caution, the Chainsaw class was removed from Confluent’s upgraded fork version of Log4j as a safety measure. |
|
9.8 |
confluent-log4j <= 1.2.17-cp2.1 |
confluent-log4j: 1.2.17-cp2.2 |
Confluent Platform code and its use of a private fork of Log4j v1.x was not identified to be vulnerable to this CVE. Out of an abundance of caution, the JDBCAppender class was removed from Confluent’s upgraded fork version of Log4j as a safety measure. |
|
8.8 |
confluent-log4j <= 1.2.17-cp2.1 |
confluent-log4j: 1.2.17-cp2.2 |
Confluent Platform code and its use of a private fork of Log4j v1.x was not identified to be vulnerable to this CVE. Out of an abundance of caution, the JMSSink class was removed from Confluent’s upgraded fork version of Log4j as a safety measure. |
|
7.5 |
confluent-log4j <= 1.2.17-cp2.1 |
confluent-log4j: 1.2.17-cp2.2 |
Confluent Platform code and its use of a private fork of Log4j v1.x was not identified to be vulnerable to this CVE. Out of an abundance of caution, the JMSAppender class was removed from Confluent’s upgraded fork version of Log4j as a safety measure. |
|
3.7 |
confluent-log4j <= 1.2.17-cp2.1 |
confluent-log4j: 1.2.17-cp2.2 |
Confluent Platform code and its use of a private fork of Log4j v1.x was not identified to be vulnerable to this CVE. Out of an abundance of caution, the SMTPAppender class was removed from Confluent’s upgraded fork version of Log4j as a safety measure. |