Prisma Alert #6507

sreejesh-radhakrishnan-db · 2022-03-11T09:26:24Z

sreejesh-radhakrishnan-db
Mar 11, 2022

We are running Operator version 0.26.1 and Kafka 0.26.1-kafka2.8.0 , we are onboarded to PRISMA alerts and following issues was raised with Critical or High Severity. Please can you help us why these are raised I thought all the log4j issues was fixed on 0.26.1 . For non log4j issues If these are genuine ones will there be a plan to fix these in any up coming release?

source	packageName	packageVersion	repository	Verison	severity	signature	sourcetype	splunk_hf
CVE-2021-45046	org.apache.logging.log4j_log4j-core	2.15.0	dkr-all/dkr-quay/strimzi/operator	0.26.1	Critical	https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046	9	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-45105	org.apache.logging.log4j_log4j-core	2.15.0	dkr-all/dkr-quay/strimzi/operator	0.26.1	High	https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-41772	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-41772	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-38297	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	Critical	https://nvd.nist.gov/vuln/detail/CVE-2021-38297	9.8	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-44716	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-44716	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2022-23773	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2022-23773	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2022-23772	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2022-23772	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-41771	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-41771	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2022-23302	log4j_log4j	1.2.17	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2022-23302	8.8	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2022-23307	log4j_log4j	1.2.17	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	Critical	https://nvd.nist.gov/vuln/detail/CVE-2022-23307	9.8	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-37137	io.netty_netty-codec	4.1.66.Final	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-37137	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2019-17571	log4j_log4j	1.2.17	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	Critical	https://nvd.nist.gov/vuln/detail/CVE-2019-17571	9.8	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2022-23806	go	1.17.1	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	Critical	https://nvd.nist.gov/vuln/detail/CVE-2022-23806	9.1	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-37137	io.netty_netty-codec	4.1.62.Final	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-37137	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-45105	org.apache.logging.log4j_log4j-core	2.15.0	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-37136	io.netty_netty-codec	4.1.66.Final	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-37136	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2022-23305	log4j_log4j	1.2.17	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	Critical	https://nvd.nist.gov/vuln/detail/CVE-2022-23305	9.8	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-37136	io.netty_netty-codec	4.1.62.Final	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	High	https://nvd.nist.gov/vuln/detail/CVE-2021-37136	7.5	Red Hat Enterprise Linux release 8.5 (Ootpa)
CVE-2021-45046	org.apache.logging.log4j_log4j-core	2.15.0	dkr-all/dkr-quay/strimzi/kafka	0.26.1-kafka2.8.0	Critical	https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046	9	Red Hat Enterprise Linux release 8.5 (Ootpa)

scholzj · 2022-03-11T10:11:37Z

scholzj
Mar 11, 2022
Maintainer

Log4j2 had multiple CVEs over several weeks. IIRC, some of them were fixed in 0.26.1, some of them in later versions only. So you might need to upgrade. In the thread dedicated to the Log4j2 CVE there might be more details about which CVE is fixed where.

The Log4j1 CVEs are part of Apache Kafka and need to be addressed there (there is an ongoing work on that).

5 replies

sreejesh-radhakrishnan-db Mar 11, 2022
Author

sorry what about go related issues, do I need to figure that out from Apache KAFKA ?

scholzj Mar 11, 2022
Maintainer

The only thing in Golang in that image is the Kafka Exporter. I do not know if that is what your scanner identified neither I know how any Golang CVEs affect it.

sreejesh-radhakrishnan-db Mar 11, 2022
Author

@scholzj cheers.... will try apache help forum if I can get more info

scholzj Mar 11, 2022
Maintainer

I'm quite sure that no Golang CVEs come from Apache Kafka since that is a Scala / Java project.

scholzj Mar 11, 2022
Maintainer

Plus in general, your scanning tool has to tell you exactly where it found what it found.

sreejesh-radhakrishnan-db · 2022-03-11T11:58:35Z

sreejesh-radhakrishnan-db
Mar 11, 2022
Author

thanks @scholzj

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

Prisma Alert #6507

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 5 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Strimzi

Prisma Alert #6507

Uh oh!

sreejesh-radhakrishnan-db Mar 11, 2022

Replies: 2 comments · 5 replies

Uh oh!

scholzj Mar 11, 2022 Maintainer

Uh oh!

sreejesh-radhakrishnan-db Mar 11, 2022 Author

Uh oh!

scholzj Mar 11, 2022 Maintainer

Uh oh!

sreejesh-radhakrishnan-db Mar 11, 2022 Author

Uh oh!

scholzj Mar 11, 2022 Maintainer

Uh oh!

Uh oh!

scholzj Mar 11, 2022 Maintainer

Uh oh!

sreejesh-radhakrishnan-db Mar 11, 2022 Author

sreejesh-radhakrishnan-db
Mar 11, 2022

Replies: 2 comments 5 replies

scholzj
Mar 11, 2022
Maintainer

sreejesh-radhakrishnan-db Mar 11, 2022
Author

scholzj Mar 11, 2022
Maintainer

sreejesh-radhakrishnan-db Mar 11, 2022
Author

scholzj Mar 11, 2022
Maintainer

scholzj Mar 11, 2022
Maintainer

sreejesh-radhakrishnan-db
Mar 11, 2022
Author