Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Vulnerabilities found in release 4.0.2 #695

Closed
ricardoredondo opened this issue Nov 6, 2024 · 7 comments
Closed

Critical Vulnerabilities found in release 4.0.2 #695

ricardoredondo opened this issue Nov 6, 2024 · 7 comments

Comments

@ricardoredondo
Copy link

While working with Kafdrop a few High and Critical vulnerabilities were found. Is it possible to get these vulnerabilities addressed

What vulnerabilities were found:

  • {"service_name": "kafka-monitor", "package": "com.google.protobuf:protobuf-java", "version": "4.27.2", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-7254", "Severity": "HIGH"},
  • {"service_name": "kafka-monitor", "package": "io.undertow:undertow-core", "version": "2.3.13.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-5971", "Severity": "HIGH"},
  • {"service_name": "kafka-monitor", "package": "io.undertow:undertow-core", "version": "2.3.13.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-6162", "Severity": "HIGH"},
  • {"service_name": "kafka-monitor", "package": "io.undertow:undertow-core", "version": "2.3.13.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-7885", "Severity": "HIGH"},
  • {"service_name": "kafka-monitor", "package": "org.apache.avro:avro", "version": "1.11.3", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-47561", "Severity": "CRITICAL"},
  • {"service_name": "kafka-monitor", "package": "org.apache.commons:commons-compress", "version": "1.21", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-25710", "Severity": "HIGH"},
  • {"service_name": "kafka-monitor", "package": "org.jboss.xnio:xnio-api", "version": "3.8.8.Final", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2023-5685", "Severity": "HIGH"},
  • {"service_name": "kafka-monitor", "package": "org.springframework:spring-webmvc", "version": "6.1.10", "valid_until": "YYYY-MM-DDTHH:MM:SSZ", "VulnerabilityID": "CVE-2024-38816", "Severity": "HIGH"}

How to retrieve the list of vulnerabilities:
For this I used Trivy. Which is a popular open source security scanner for Vulnerability
Trivy installation: https://aquasecurity.github.io/trivy/v0.57/getting-started/installation/
How to run it:

Looking fw an update in this.
@Bert-R
Copy link
Collaborator

Bert-R commented Nov 8, 2024

Do you mind running the same scan on the latest snapshot build? Then we know whether it would help to release the current snapshot.

@nickmarden
Copy link

I fired up the kafdrop-4.0.3-SNAPSHOT.jar image, copied the jar over to my local filesystem, and unpacked the jar contents for scanning:

[Nicks-Prodigious-MacBook-Pro]➜  tmp ls -al
total 0
drwxr-xr-x    5 nick  staff   160 Nov 22 13:07 .
drwxr-x---+ 182 nick  staff  5824 Nov 22 13:08 ..
drwxr-xr-x    6 nick  staff   192 Nov 22 12:12 BOOT-INF
drwxr-xr-x    7 nick  staff   224 Nov 22 12:12 META-INF
drwxr-xr-x    3 nick  staff    96 Jan 31  1980 org

[Nicks-Prodigious-MacBook-Pro]➜  tmp trivy rootfs . --scanners vuln --severity HIGH,CRITICAL
2024-11-22T13:08:10.400-0500	INFO	Vulnerability scanning is enabled
2024-11-22T13:08:10.427-0500	INFO	Number of language-specific files: 1
2024-11-22T13:08:10.427-0500	INFO	Detecting jar vulnerabilities...

[Nicks-Prodigious-MacBook-Pro]➜  tmp trivy rootfs . --scanners vuln
2024-11-22T13:08:16.572-0500	INFO	Vulnerability scanning is enabled
2024-11-22T13:08:16.602-0500	INFO	Number of language-specific files: 1
2024-11-22T13:08:16.602-0500	INFO	Detecting jar vulnerabilities...

Which might show that the new version solves the issue ? But I'm not sure. cc @ricardoredondo

@ricardoredondo
Copy link
Author

Sorry for the late response.

Thanks @nickmarden for taking a look into this Yes, I just checked with Docker 4.0.3 image and Trivy is not reporting vulnerabilities. Seems that 4.0.3 solves the issue.

@Bert-R looks like releasing the 4.0.3 snapshot would really help. Is it possible to get it released?

@Bert-R
Copy link
Collaborator

Bert-R commented Dec 5, 2024

It looks like we are pretty close to cutting a new release. Once #703 is done, we'll trigger the process.

@Bert-R
Copy link
Collaborator

Bert-R commented Dec 7, 2024

@davideicardi I just merged #703. That, together with #678 and #672 is extends the functionality of Kafdrop. What about releasing this as 4.1.0 (rather than 4.0.3)?

@Bert-R
Copy link
Collaborator

Bert-R commented Dec 10, 2024

Thanks to @davideicardi, the new release is available now.

@Bert-R Bert-R closed this as completed Dec 10, 2024
@ricardoredondo
Copy link
Author

Thanks @Bert-R for all the help!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nickmarden @ricardoredondo @Bert-R