jetty-http is showing as having CVE

[kiranmenon]

We have the org.eclipse.jetty-* dependencies added here . As per public CVE records there is a CVE identified for the current version using in strimzi.

GHSA-qh8g-58pp-2wxh
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47535 (probably related)

Just wondering if its a false positive or really need to worry as a strimzi user. :)

[scholzj]

This is not completely simple to address as there is mix of Jetty versions being used by Strimzi and Kafka. I opened #11094 to see if we can do something about it for the Strimzi part.

In general, Jetty is used in 3 places:

• Strimzi Topic and User Operators use it for health checks and metrics
• Strimzi Kafka Agent uses it to expose additional informations from the Kafka Pods
• Kafka Connect uses it for its REST API

The Strimzi Kafka Agent is protected through network policies (if supported by your SDN) and by mTLS and is used only by the operator. So I think it that is secured that way and unless you bypass those measures, you cannot really exploit any CVEs on the HTTP level.

For the other two cases, I think it is more complicated. I suspect you could in theory use the CVE-2024-8184 to DoS the Pods. But in none of these two cases should be really exposed outside of your Kubernetes cluster to open internet for example. I'm not really sure whyt the effect of GHSA-qh8g-58pp-2wxh is to be honest.