Vulnerability CVE-2022-40897 in all images

[bydich]

I'm using version 6.0.11 of the image in my project. During testing the "trivy" utility discovered a vulnerability.

$ trivy image confluentinc/cp-kafka:6.0.11
2023-02-06T18:25:22.718+0300	INFO	Vulnerability scanning is enabled
2023-02-06T18:25:22.719+0300	INFO	Secret scanning is enabled
2023-02-06T18:25:22.719+0300	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-06T18:25:22.719+0300	INFO	Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-06T18:25:30.121+0300	INFO	Detected OS: redhat
2023-02-06T18:25:30.121+0300	INFO	Detecting RHEL/CentOS vulnerabilities...
2023-02-06T18:25:30.149+0300	INFO	Number of language-specific files: 2
2023-02-06T18:25:30.149+0300	INFO	Detecting jar vulnerabilities...
2023-02-06T18:25:30.153+0300	INFO	Detecting python-pkg vulnerabilities...

confluentinc/cp-kafka:6.0.11 (redhat 8.7)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                    │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ libksba │ CVE-2022-47629 │ HIGH     │ 1.3.5-8.el8_6     │               │ libksba: integer overflow to code execution │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-47629  │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘
2023-02-06T18:25:30.219+0300	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                         Title                         │
├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH     │ 50.3.2            │ 65.5.1        │ pypa-setuptools: Regular Expression Denial of Service │
│                       │                │          │                   │               │ (ReDoS) in package_index.py                           │
│                       │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-40897            │
└───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

I need to update python setuptools with the new latest version (67.*). And I want to see my changes in the new image 6.0.12 for fixing the vulnerability. I have prepared changes. Which branch can I pull request it?

[janjwerner-confluent]

@bydich
Thank you for raising this issue and preparing the PR. We expect to resolve those issues in the upcoming quarterly release.

[yeikel]

Did this get resolved?

[janjwerner-confluent]

Yes, both those issues have been addressed. Please note that 6.1.x branch is out of support scope.
https://docs.confluent.io/platform/current/installation/versions-interoperability.html