[CVE-2023-25194] Update Kafka dependency and resulting version diffs

[stephen-crawford]

Signed-off-by: Stephen Crawford steecraw@amazon.com

Description

[Describe what this change achieves]
Updates Kafka dependency on 3.0.2 -> 3.4.0. Also updates three dependencies which had a conflict in the versions.

Issues Resolved

#2431

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwperks]

The plugin-install is impacted by the issue addressed in this open PR: #2433

[stephen-crawford]

So the CVE is addressed in Kafka version 3.4.0, but we use springframework.kafka for the KafkaSinkTest. However, the springframework.kafka versions only support up to Kafka 3.3.2 as of the new release today. Unfortunately, the CVE is still present in Kafka 3.3.2, so upgrading to that does not fix the issue. We will need to wait until there is an updated springframework.kafka version which support Kafka 3.4.0 before we can fix the CVE.

The CVE is based around de-serializing LDAP responses by connecting to an attacker's LDAP server so it is not clear that OpenSearch would directly be impacted by the vulnerability.

[DarshitChanpura]

@scrawfor99 This question spring-projects/spring-kafka#2574 mentions that the latest version (3.0.3) can be used for kafka 3.4.0.
Our test failures: java.lang.NoClassDefFoundError: kafka/common/KafkaException are due to version mismatch between spring and kafka dependencies.
I believe updating to kafka 3.0.3 should solve the issue.

[peternied]

@scrawfor99 Looks like there is another pull request from a community member. If they sign the DCO would you want to close out this pull request and work with them on that PR?

• fix kafka CVE-2023-25194, update kafka client to 3.4.0 #2481

[stephen-crawford]

Hi @peternied, I am definitely in favor of the other contributor's PR.

I will leave a note @DarshitChanpura. I know it is from the version mismatch but on the website, it looked like it only supported up to 3.3.2. That being said, I see that the question you linked suggests otherwise. I will look at the workaround when helping the other contributor.