Re: Question about Critical Security Findings in kafka-exporter dependency in Strimzi images


Jakub Scholz
 

Hi Kerstin,

I'm not really a Golang expert. As for CVE-2022-23806, crypto functions will be used between the Kafka Exporter where mTLS is used. The CVE-2021-38297 seems to suggest it applies only to WASM modules in which case I wonder if it applies here. But obviously it will be showing in scanners anyway.

Did you raise it on the Kafka Exporter project as well? There was not much development going on, but there were occasional releases happening there. Last commit seems to be from January. In general, we tend to rely on the binaries provided by the other projects because having our own build of something like this requires a lot of time (CI, updates, know-how etc.). But if there would not be a new release with a fix, we might need to decide whether we want to fork it to maintain our own build or find some other project for exporting the consumer lag.

Thanks & Regards
Jakub

On Wed, Jun 22, 2022 at 4:13 PM kerstin.maier via lists.cncf.io <kerstin.maier=mercedes-benz.com@...> wrote:
Hi,
we do regular automatic security scans for the Strimzi images we use in our organization and the latest images always have a few CRITICAL findings in our security scan, at the moment this are
NVD - CVE-2021-38297 (nist.gov) and NVD - cve-2022-23806 (nist.gov).

We took a look where this is coming from and seems it's cause the latest Kafka exporter release 1.4.2 (from September 21st, 2021) still comes with Go 1.17.1
https://github.com/danielqsj/kafka_exporter/tags

Looking at the Github repo of Kafka Exporter, it doesn't look as if anybody is actively working on this repo anymore at the moment. We are wondering,are there any plans from Strimzi to deal with such dependencies that aren't regularily updated?
I assume many projects to regular security scans of their images and if some dependencies aren't updated regularily or at all anymore, the critical findings won't disappear.

Thanks,
Kerstin

Join cncf-strimzi-users@lists.cncf.io to automatically receive all group messages.