Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-52046 & CVE-2024-53990 #368

Open
epeters-alliander opened this issue Jan 15, 2025 · 4 comments
Open

CVE-2024-52046 & CVE-2024-53990 #368

epeters-alliander opened this issue Jan 15, 2025 · 4 comments

Comments

@epeters-alliander
Copy link

When using cp-kafka-connect:7.8.0, CVE's scanners are showing 2 critical CVE's:
CVE-2024-52046 & CVE-2024-53990.

See below table:

┌───────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────┐
│                        Library                        │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                        Title                         │
├───────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────┤
│ org.apache.mina:mina-core (acl-7.8.0.jar)             │ CVE-2024-52046 │ CRITICAL │ fixed  │ 2.2.3             │ 2.2.4, 2.1.10, 2.0.27 │ mina-core: Apache MINA: applications using unbounded │
│                                                       │                │          │        │                   │                       │ deserialization may allow RCE                        │
│                                                       │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-52046           │
├───────────────────────────────────────────────────────┤                │          │        │                   │                       │                                                      │
│ org.apache.mina:mina-core (mina-core-2.2.3.jar)       │                │          │        │                   │                       │                                                      │
│                                                       │                │          │        │                   │                       │                                                      │
│                                                       │                │          │        │                   │                       │                                                      │
├───────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────────────┼──────────────────────────────────────────────────────┤
│ org.asynchttpclient:async-http-client (acl-7.8.0.jar) │ CVE-2024-53990 │          │        │ 2.12.3            │ 2.12.4, 3.0.1         │ async-http-client: AsyncHttpClient (AHC) library's   │
│                                                       │                │          │        │                   │                       │ `CookieStore` replaces explicitly defined `Cookie`s  │
│                                                       │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-53990           │
├───────────────────────────────────────────────────────┤                │          │        │                   │                       │                                                      │
│ org.asynchttpclient:async-http-client                 │                │          │        │                   │                       │                                                      │
│ (telemetry-client-3.1518.0.jar)                       │                │          │        │                   │                       │                                                      │
│                                                       │                │          │        │                   │                       │                                                      │
├───────────────────────────────────────────────────────┤                │          │        │                   │                       │                                                      │
│ org.asynchttpclient:async-http-client                 │                │          │        │                   │                       │                                                      │
│ (confluent-metrics-7.8.0-ce.jar)                      │                │          │        │                   │                       │                                                      │
│                                                       │                │          │        │                   │                       │                                                      │
└───────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────┘

Example Dockerfile:

# Use a specific version of the base image
FROM confluentinc/cp-kafka-connect:7.8.0

# Use root user for installations
USER root

# Clean up unnecessary cache and temporary files to reduce the image size
RUN rm -rf /tmp/* /var/lib/apt/lists/* \
    # Install updates
    && yum update -y \
    && yum clean all \
    && rm -rf /var/cache/yum

docker build -t kc:v7.8.0 .
trivy image --scanners vuln --severity HIGH,CRITICAL kc:v7.8.0
@tqivbatista
Copy link

I am just reporting this issue, but according to engineers at my company, simply upgrading the mina version to one without the vulnerability did not resolve the problem. Although the connector remains in the 'running' status, it is not functioning correctly :(

@alexrodriguesdasilva
Copy link

alexrodriguesdasilva commented Jan 16, 2025
edited
Loading

We fixed the mina-core vulnerability by downloading the .jar dependencies and importing them using the following Dockerfile commands:

Example:

# Remove the old vulnerable files
RUN rm -f /usr/share/java/rest-utils/mina-core-2.2.3.jar 

# Update the vulnerable files with the latest versions
COPY your_folder/java/mina-core/mina-core-2.2.4.jar /usr/share/java/rest-utils/mina-core-2.2.4.jar

Mina-core website: https://mina.apache.org/mina-project/

@janjwerner-confluent
Copy link
Member

This issue will be addressed in the upcoming quarterly patch release.

@FonsBiemans
Copy link

when is the next release planned, we have to report on the progress of this CVE, as it's a Critical Vulnerability. if this take's to long we will need to implement a fix ourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@FonsBiemans @alexrodriguesdasilva @janjwerner-confluent @tqivbatista @epeters-alliander