Strimizi kafka operator, vulnerabilities for v 3.6.0

[koustreak]

Bug Description

As per quay.io the strimizi kafka operator, 3
6.0 has 1 critical vulnerabilities and several high vulnerabilities .

Steps to reproduce

1.Go to quay.io/repository/strimzi/kafka?tab=tags&tag=latest-kafka-3.6.0
2. Check for the vulnerabilities

Expected behavior

No response

Strimzi version

3.6.0

Kubernetes version

1.23

Installation method

helm chart

Infrastructure

Amazon EKS

Configuration files and logs

No response

Additional context

No response

[scholzj]

Any CVEs issues in a Kafka release need to be addressed in the Apache Kafka project. The same applies also to Cruise Control. Strimzi only pulls their binaries. As for Apache Kafka 3.6.0, some of the fixes might be included in Kafka 3.6.1 -> we expect that to be included in Strimzi 0.41 (we expect to start working on the 0.41 release later this week).

[koustreak]

In 3.6.1 , those are cve related fixes ?

[scholzj]

I actually meant 3.6.2 which is the latest 3.6 release and will be part of Strimzi 0.41.0, sorry. But in general yes, any newer Kafka version might have addressed some of the CVEs, so even 3.6.1 might have some fixes over 3.6.0..