Strimzi Kafka images vulnerabilities

[gourab-jonty]

Hello Everyone,

We are utilizing Strimzi Kafka - 0.37.0 on the Kubernetes platform and have conducted a vulnerability check for all images using Trivy Scanner as a part of security compliance. It has been observed that a significant number of critical high and medium-level vulnerabilities have been identified.

We would like to know if all images have been tested and verified, or if there is a plan in place to address these vulnerabilities.

[scholzj]

It is hard to give you an exact answer without talking about specific images / specific CVEs. But in general:

• It is basically impossible to have a CVE-free container image. New CVEs pop up while you are trying to test the fixed container image to the previous one.
• Not every CVE found by some scanner actually affects or impacts you in any way. You have to evaluate the risks yourself and compare them against the risk that the fix will break something else and cause more damage.
• Strimzi relies on other projects and their binaries. So when they do not fix the CVEs, we cannot fix them either (e.g. Kafka, ZooKeeper, Cruise Control etc.)

[gourab-jonty]

Hello @scholzj

Thank you for your response.
Please find below the list of CVEs that are High and Critical:

Repository	CVE	Package	Current Version	Fixed in version	Severity
repo/operator	CVE-2023-39017	org.quartz-scheduler:quartz	2.3.2	2.4.0-rc1	Critical
repo/operator	CVE-2023-40217	platform-python	3.6.8-51.el8_8.1		High
repo/maven-builder	CVE-2023-40217	python3-libs	3.6.8-51.el8_8.1		High
repo/maven-builder	CVE-2023-40217	platform-python	3.6.8-51.el8_8.1		High
repo/operator	CVE-2023-40217	python3-libs	3.6.8-51.el8_8.1		High

Could you please fix the CVEs if possible?

[scholzj]

You would need to share in what image and what path were they found at. You should also do what I suggested, check what they say and whether they really apply. Not just blindly copy something some scanner gave you. For example, the CVE-2023-39017 ... if you read the details, you would know that:

• It seems to be disputed -> authors of the library do not seem to agree with it.
• Even without the dispute, it is said to affect quartz-jobs library that is not used at all by Strimzi as far as I know

SImilarly for the other CVE. Strimzi does not use Python, so are you really affected by it? Also, does the empty Fixed in version column suggest that there is no fix available for it?