Critical Vulnerability CVE-2022-26612

[tojaroslaw]

Hi confluent team!

I noticed that confluentinc-kafka-connect-s3-10.0.7 recently got flagged by our vulnerability scanner just today with the critical vulnerability, CVE-2022-26612. From a brief glance, I think the culprit is hadoop. Apparently, they fixed this vulnerability in version 3.2.3, but I saw that the lib files still use 2.10.1. Since this is a major version change, I understand any concern about upgrading too hastily, but I was just hoping to get an ETA on when we can get a clean version of confluentinc-kafka-connect-s3. Our organization has a policy of remediating all critical vulnerabilities, so any update would be greatly appreciated.

Thanks, Toby

[ikekilinc]

+1 ^^^ My organization also would benefit heavily from a vulnerability patch with this hadoop version bump

[tooptoop4]

https://github.com/confluentinc/kafka-connect-storage-common/blob/v11.0.8/pom.xml#L77 :(
there is also CVE-2021-37404

[tojaroslaw]

I tried to create a PR to address this

confluentinc/kafka-connect-storage-common#256

I'm hoping someone can take a look at it!

[janjwerner-confluent]

Toby,
Thank you for raising this issue. We are aware of those issues and plan on addressing them in an upcoming release cycle.