io.confluent:kafka-json-schema-serializer:7.5.1 includes 3 party library with critical vulnerability

[maciejadamski0]

Hi,
The library that contains serializers/deserializers for json schema contains a critical vulnerability. We tried to exclude from packages but then sending messages on kafka does not work.

• [io.confluent:kafka-json-schema-serializer:7.5.1]
  --[io.confluent:kafka-json-schema-provider:7.5.1]
  ---[com.kjetland:mbknor-jackson-jsonschema_2.13:1.0.39]
  ----[org.scala-lang:scala-library:2.13.1]

com.kjetland:mbknor-jackson-jsonschema is not publish newer version since 2020.

People reported errors and created merge requests to correct these problems, but the author did not respond. It looks like the library is simply no longer supported.

Are you able to replace this particular library with a newer solution that has support and does not contain critical vulnerabilities?

[janjwerner-confluent]

@maciejadamski0
Can you try to override the version of scala-library that is brought into your project using the dependency management?
If you look at the current 7.5.x dependency tree, you should notice that an updated version of kafka and scala jars.
[INFO] --- dependency:3.3.0:tree (default-cli) @ kafka-json-schema-serializer --- [INFO] io.confluent:kafka-json-schema-serializer:jar:7.5.4-0 [INFO] +- org.apache.kafka:kafka_2.13:jar:7.5.4-10-ccs:provided [INFO] | +- org.apache.kafka:kafka-clients:jar:7.5.4-10-ccs:compile [INFO] | | +- com.github.luben:zstd-jni:jar:1.5.5-1:runtime [INFO] | | +- org.lz4:lz4-java:jar:1.8.0:runtime [INFO] | | \- org.xerial.snappy:snappy-java:jar:1.1.10.5:runtime [INFO] | +- org.scala-lang:scala-library:jar:2.13.10:compile

[maciejadamski0]

@janjwerner-confluent
Sorry, I'm not a Scala expert, but my understanding of this language works on the principle that if we have this library
https://mvnrepository.com/artifact/com.kjetland/mbknor-jackson-jsonschema_2.13/1.0.39
This library indicates which version of Scala it was written for or information is in the table ("Scala Target"). It may happen that the library stops working or behaving correctly.
The mbknor-jsonschema library itself contains many vulnerabilities and will probably become quite dangerous to use soon. Do you have a plan to change this library in the upcoming releases?

[janjwerner-confluent]

@maciejadamski0
I'm not aware of the current plans to replace the library. Override of the scala library has passed all the tests we have for schema registry.
You mentioned "The mbknor-jsonschema library itself contains many vulnerabilities " - can you point me to the those vulnerabilities?

[maciejadamski0]

Hi @janjwerner-confluent
Mvn central repository link:
https://mvnrepository.com/artifact/com.kjetland/mbknor-jackson-jsonschema_2.13/1.0.39
++ copied list of vulnerabilities from dependency:
CVE-2023-6378
CVE-2022-42004
CVE-2022-42003
CVE-2022-36944
CVE-2021-46877
CVE-2020-36518
CVE-2020-25649

Override of the scala library has passed all the tests we have for schema registry.

I will try this action and let you know if it helped in our case.

[janjwerner-confluent]

@maciejadamski0
Were you able to resolve the issue?