openssl vulnerabilities

[romanb52]

Description

librdkafka uses OpenSSL 3 prior to 3.0.8 which is vulnerable:
[CVE-2023-0286] - https://nvd.nist.gov/vuln/detail/CVE-2023-0286/
[CVE-2022-4450] - https://nvd.nist.gov/vuln/detail/CVE-2022-4450/
[CVE-2023-0215] - https://nvd.nist.gov/vuln/detail/CVE-2023-0215/

How to reproduce

No need, vulnerable libraries are part of librdkafka

Checklist

Please provide the following information:

• librdkafka version (release number or git tag): 2.0.3
• Apache Kafka version: any
• librdkafka client configuration: any
• Operating system: any
• Provide logs (with debug=.. as necessary) from librdkafka - not needed
• Provide broker log excerpts - not needed
• Critical issue

[curtspiteri]

also librdkafka 2.0.2 uses libcurl version 7.86 which is also vulnerable as per https://curl.se/docs/vulnerabilities.html so it should be updated to the latest libcurl version.

[senecaconsultancy]

hi.. just writing to encourage this issue be resolved as soon as is practical. A lot banks won't allow its use until these are addressed.
Thank you!

[curtspiteri]

@pranavrth apart from LibCurl which has vulnerabilities and should be updated to latest 8.0.1 (See: https://curl.se/docs/vulnerabilities.html)

OpenSSL had other vulnerabilities as recent as 23rd March (See https://www.openssl.org/news/vulnerabilities.html)
I saw you upgraded to 3.0.8 in #4215 but I guess this needs to be 3.1.1 now once it's available.

[Vikash08Mishra]

I could see issue with even latest version of librdKafka (2.1.1). Currently, libcurl is leading to 4 CVE's, seems all of these would be fixed if we upgrade to libcurl version >= 8.1. We may need OpenSSL upgrade to 3.1.0 as well.
Below CVEs shows in runtime of all platform distribution linux/windows.

1. CVE-2023-27535 : https://nvd.nist.gov/vuln/detail/CVE-2023-27535
2. CVE-2023-27536 : https://nvd.nist.gov/vuln/detail/CVE-2023-27536
3. CVE-2023-28322: https://nvd.nist.gov/vuln/detail/CVE-2023-28322
4. CVE 2023-28319: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-28319

@emasab @pranavrth Considering that all of above are high severity CVE's can we please update these in upcoming version ?

[emasab]

@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.

To use those:

Python

pip install --no-binary :all: confluent-kafka

Go

go build -tags dynamic

.NET (in .csproj)

    <PackageReference Include="Confluent.Kafka" Version="2.1.1" />
    <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />

[vdkranak]

Looks like Open SSL just released a new version 3.1.1 https://github.com/openssl/openssl/releases/tag/openssl-3.1.1

[romanb52]

Another vulnerability: CVE-2023-2650

[romanb52]

@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.

To use those:

Python

pip install --no-binary :all: confluent-kafka

Go

go build -tags dynamic

.NET (in .csproj)

    <PackageReference Include="Confluent.Kafka" Version="2.1.1" />
    <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />

Any update please?

[romanb52]

Another one: CVE-2023-4807

[vivek-datadog]

Few more CVEs in openssl v3.0.8

• https://nvd.nist.gov/vuln/detail/CVE-2023-3817
• https://nvd.nist.gov/vuln/detail/CVE-2023-0464
• https://nvd.nist.gov/vuln/detail/CVE-2023-0465
• https://nvd.nist.gov/vuln/detail/CVE-2023-0466
• https://nvd.nist.gov/vuln/detail/CVE-2023-1255
• https://nvd.nist.gov/vuln/detail/CVE-2023-2650
• https://nvd.nist.gov/vuln/detail/CVE-2023-2975
• https://nvd.nist.gov/vuln/detail/CVE-2023-4807
• https://nvd.nist.gov/vuln/detail/CVE-2023-5363
• https://nvd.nist.gov/vuln/detail/CVE-2023-5678

[vivek-datadog]

@Vikash08Mishra yes, we're scheduling the update for the release that's being published at the end of June. We try to update the precompiled binaries bundled in other Confluent clients as soon as possible. To meet the best security requirements, in terms of time to fix the vulnerability, it's also possible to install librdkafka linux packages (from Confluent repositories) and the latest versions of the dependencies.

To use those:

Python

pip install --no-binary :all: confluent-kafka

Go

go build -tags dynamic

.NET (in .csproj)

    <PackageReference Include="Confluent.Kafka" Version="2.1.1" />
    <PackageReference Include="librdkafka.redist" Version="2.1.1" ExcludeAssets="All" />

Hello @emasab , reaching out to check on openssl version update timeline. Would this be taken care as part of #4303? I am particularly interested in the librdkafka with updated openssl for Windows environment.

[janjwerner-confluent]

Thank you for the report. We are in the process of resolving this issue.
Please see: #4706