PRISMA critical alert

[sreejesh-radhakrishnan-db]

Hi we using Operator 28 and Kafka 3.1.0.22

name: operator
tag: 0.28.0
kafka_tag: 0.28.0-kafka-3.1.0.22

We have been notified by Prisma alert for vulnerabilities for OPERATOR and KAFKA component

Any idea if these are fixed in any of the later version?

Issue with FIX Verison component
nss-sysinit 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/operator
nss-util 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/operator
nss 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/operator
nss-softokn-freebl 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/operator
nss-softokn 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/operator
nss 3.53.1-17.el8_3 dkr-all/dkr-quay/strimzi/kafka
nss-util 3.53.1-17.el8_3 dkr-all/dkr-quay/strimzi/kafka
nss-softokn-freebl 3.53.1-17.el8_3 dkr-all/dkr-quay/strimzi/kafka
nss-sysinit 3.53.1-17.el8_3 dkr-all/dkr-quay/strimzi/kafka
nss-softokn 3.53.1-17.el8_3 dkr-all/dkr-quay/strimzi/kafka
nss 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/kafka
nss-softokn 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/kafka
nss-sysinit 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/kafka
nss-softokn-freebl 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/kafka
nss-util 3.67.0-7.el8_5 dkr-all/dkr-quay/strimzi/kafka

[sreejesh-radhakrishnan-db]

-ITEMS SHOWN in Scan as vulnerable for https://access.redhat.com/security/cve/CVE-2021-43529

• nss-sysinit
  nss-util
  nss
  nss-softokn-freebl
  nss-softokn
  nss
  nss-util
  nss-softokn-freebl
  nss-sysinit
  nss-softokn
  nss
  nss-softokn
  nss-sysinit
  nss-softokn-freebl
  nss-util

Version this is been fixed@
3.67.0-7.el8_5
3.67.0-7.el8_5
3.67.0-7.el8_5
3.67.0-7.el8_5
3.67.0-7.el8_5
3.53.1-17.el8_3
3.53.1-17.el8_3
3.53.1-17.el8_3
3.53.1-17.el8_3
3.53.1-17.el8_3
3.67.0-7.el8_5
3.67.0-7.el8_5
3.67.0-7.el8_5
3.67.0-7.el8_5
3.67.0-7.el8_5

[scholzj]

Why do these show with different versions? I would assume only one version will be installed.

[sreejesh-radhakrishnan-db]

Yes right, if we migrate to 3.67.0-7.el8_5 will fix issue.

I am no expert on Prisma, and annoyed that they don't actually point to the artefact which caused this issues with in a repository. All this are tagged against the repo
dkr-all/dkr-quay/strimzi/operator
dkr-all/dkr-quay/strimzi/kafka

[scholzj]

3.67.0-7.el8_5 seem sot be already used in 0.29.0:

$ rpm -qi nss
Name        : nss
Version     : 3.67.0
Release     : 7.el8_5
Architecture: x86_64
Install Date: Wed May 18 10:41:47 2022
Group       : Unspecified
Size        : 2045956
License     : MPLv2.0
Signature   : RSA/SHA256, Wed Nov 24 11:06:01 2021, Key ID 199e2f91fd431d51
Source RPM  : nss-3.67.0-7.el8_5.src.rpm
Build Date  : Tue Nov 23 22:24:47 2021
Build Host  : x86-vm-14.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.mozilla.org/projects/security/pki/nss/
Summary     : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

So I guess that an upgrade might help?

[sreejesh-radhakrishnan-db]

thanks , possible to check if any of the component in KAFKA uses - 3.53.1-17.el8_3 at all?

[scholzj]

I don't think we use NSS for anything our of the box. It might be pulled by OpenJDK which uses it in the FIPS mode (but the FIPS mode is currently not supported by Strimzi).