Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update proton-j to 0.34 or latest for OSGI

Description

Need to address CVE-2024-27309 plus the discrepancy below. Need rating for this CVE here.

We have updated to proton-j version later than 0.26 here:

However we still see the scans picking up the version 0.26 (from our own trivy scan on M2024 as well as PB customer scan on 2024).

From PB scan : pkg:maven/org.apache.qpid/proton-j@0.26.0

Need to verify where this is still coming from (OSGI or something else) and update to version 0.34 or later.

From our trivy scan below:

Acceptance / Success Criteria

None

Activity

Show:

Christian Pape October 11, 2024 at 9:07 AM

Merged.

Christian Pape October 10, 2024 at 5:52 AM

Please review:
* PR:

Nishtha Kaura October 8, 2024 at 4:35 PM

Information Security Review

The impact of below CVE is subjective to the 2 pre-conditions together being met to trigger impact. If the conditions meet then only it impacts the ACL enforcement during migration from ZK to KRaft.

I will keep the rating as is based on CISA evaluation, unless we confirm that the two conditions are not met or the mitigation is in place while migrating: The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource.

CVSS v3.1 Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.4 High

CVE 2024-27309

Description: While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct. The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain). The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period.

Veena Kannan October 8, 2024 at 3:45 AM

updated the correct CVE number to assess. Sorry for the miss.

Nishtha Kaura October 8, 2024 at 2:03 AM

Is this the right CVE# mentioned as that is related to Apache Kafka(Also the CVE has not been rated by CVSS yet) while the other one mentioned is for Apache Qpid Proton-j. Latest version : Qpid Proton-J 0.34.1 - Apache Qpid™?

Fixed

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Sprint

Fix versions

Priority

Parent

PagerDuty

Created September 27, 2024 at 5:46 PM
Updated October 17, 2024 at 12:11 PM
Resolved October 11, 2024 at 9:07 AM