Request for base image and JDK updates to address reported CVEs

[smazsta]

Hello Strimzi team,

We are in the process of upgrading from Strimzi Operator 0.45 to 0.47, but the rollout had to be paused due to several HIGH and CRITICAL CVEs flagged by our security scanning tools.

From our assessment, most of these vulnerabilities appear to stem from the RHEL UBI base image and the JDK 17 version used to build the operator and related Strimzi images. While these CVEs do not seem to directly impact the operator’s security model, they can be resolved by updating to newer, patched versions of RHEL UBI and JDK during image builds.

I would like to ask if there is a plan to update the RHEL UBI base image and JDK version used in the Strimzi operator image? Will related images such as kaniko-executor and kafka-bridge also be updated to address these CVEs?

For reference, these are the CVEs detected in our scans:

• NVD-CVE-2025-5914
• NVD-CVE-2025-6965
• NVD-CVE-2025-7425
• NVD-CVE-2025-8194
• NVD-CVE-2025-30749
• NVD-CVE-2025-32988
• NVD-CVE-2025-32990
• NVD-CVE-2025-50059
• NVD-CVE-2025-50106

Any guidance on whether a patch release or future version will address these would be greatly appreciated.

Thank you for your work on Strimzi!

[scholzj]

We did the CVE re-spin on Tuesday. So please make sure you use the latest images. If you still have any CVE questions, please make sure to share the CVEs you want to ask about with a clear information about:

• The exact image affected
• The exact path where the CVE is supposed to be

[smazsta]

Thank you for the quick response!

We’ll re-run our scans against the latest images that were re-spun. If any CVEs are still flagged, we’ll follow up with:

• The exact image (e.g., operator, kafka-bridge, kaniko-executor, etc.)
• The full path where the scanner reports the CVE

At the moment, the flagged CVEs were found in:

• Operator (0.47.0)
• Kafka-bridge (0.47.0)
• Kaniko-executor (0.47.0)
• Maven-bridge (0.32.0)
• Intermediate Kafka images (3.9.1, used during upgrade rollout)

We’ll verify against the updated images and report back with specifics if the issues persist.

Thanks again for clarifying the process!

[scholzj]

TBH, there will be always CVEs. You should not expect there to be zero CVEs and it is not something we aim for. But we are always happy to discuss and see what can be done about the more important or critical ones.

[smazsta]

I understand that there will always be CVEs and that achieving zero CVEs is not the goal. My question was more about whether there are plans to update the base components, as it seems that the CVEs we observed are not associated with the Strimzi operator itself but with the underlying Linux and Java versions used to build the images making them sort of false positives.

From our analysis, most of these issues could be resolved with an update of OpenJDK and the RHEL base image. I assumed that these updates would be included when operator 0.49 is released, which will support Kafka image 4.1.0.

Of course, I will provide the requested data for the images and CVEs so that you have clear visibility on which ones we are referring to. I appreciate any guidance on whether these updates are planned in the near term.

Here are the details you requested for the CVEs still being flagged as HIGH/CRITICAL on our side for the operator as we can somehow deal with other packages.

---

CVE-2025-5914 (libarchive)

• Package: libarchive (version 3.5.3-6.el9_6)
• Paths from rpm -ql libarchive:

	/usr/lib64/libarchive.so.13
	/usr/lib64/libarchive.so.13.5.3
	/usr/share/doc/libarchive
	/usr/share/doc/libarchive/NEWS
	/usr/share/doc/libarchive/README.md
	/usr/share/licenses/libarchive
	/usr/share/licenses/libarchive/COPYING
	/usr/share/man/man5/cpio.5.gz
	/usr/share/man/man5/mtree.5.gz
	/usr/share/man/man5/tar.5.gz

---

CVE-2025-6965 (sqlite-libs)

• Package: sqlite-libs (version 3.34.1-8.el9_6)
• Paths from rpm -ql sqlite-libs:

	/usr/lib/.build-id
	/usr/lib/.build-id/d4
	/usr/lib/.build-id/d4/faca7d381718641dd76cada08d827d9624ef8a
	/usr/lib64/libsqlite3.so.0
	/usr/lib64/libsqlite3.so.0.8.6
	/usr/share/doc/sqlite-libs
	/usr/share/doc/sqlite-libs/README.md

---

CVE-2025-7425 (libxml2)

• Package: libxml2 (version 2.9.13-12.el9_6)
• Paths from rpm -ql libxml2:

	/usr/bin/xmlcatalog
	/usr/bin/xmllint
	/usr/lib/.build-id
	/usr/lib/.build-id/52
	/usr/lib/.build-id/52/21fa46eb5d4accaeff20b4b79c7cb92b5c7469
	/usr/lib/.build-id/b4
	/usr/lib/.build-id/b4/73e45ffe4a2ab8128a4380d4d85bc30cd65106
	/usr/lib/.build-id/e8
	/usr/lib/.build-id/e8/d2651fa59cca8da26db5c90d2fcea1bda430e8
	/usr/lib64/libxml2.so.2
	/usr/lib64/libxml2.so.2.9.13
	/usr/share/doc/libxml2
	/usr/share/doc/libxml2/NEWS
	/usr/share/doc/libxml2/README.md
	/usr/share/doc/libxml2/TODO
	/usr/share/licenses/libxml2
	/usr/share/licenses/libxml2/Copyright
	/usr/share/man/man1/xmlcatalog.1.gz
	/usr/share/man/man1/xmllint.1.gz
	/usr/share/man/man3/libxml.3.gz

---

CVE-2025-8194 (python3)

• Package: python3 (version 3.9.21-2.el9_6.2)

---

CVE-2025-30749, CVE-2025-50059, CVE-2025-50106 (OpenJDK)

• Package: OpenJDK (version 17.0.16+8-LTS)

---

CVE-2025-32988, CVE-2025-32990 (gnutls)

• Package: gnutls (version 3.8.3-6.el9_6.2)
• Paths from rpm -ql gnutls:

	/usr/lib/.build-id
	/usr/lib/.build-id/09
	/usr/lib/.build-id/09/6527ad82b41362502d32a3731014fafe068967
	/usr/lib64/.libgnutls.so.30.37.1.hmac
	/usr/lib64/.libgnutls.so.30.hmac
	/usr/lib64/libgnutls.so.30
	/usr/lib64/libgnutls.so.30.37.1
	/usr/share/doc/gnutls
	/usr/share/doc/gnutls/AUTHORS
	/usr/share/doc/gnutls/NEWS
	/usr/share/doc/gnutls/README.md
	/usr/share/doc/gnutls/THANKS
	/usr/share/licenses/gnutls
	/usr/share/licenses/gnutls/COPYING
	/usr/share/licenses/gnutls/COPYING.LESSER
	/usr/share/licenses/gnutls/LICENSE
	/usr/share/locale/cs/LC_MESSAGES/gnutls.mo
	/usr/share/locale/de/LC_MESSAGES/gnutls.mo
	/usr/share/locale/eo/LC_MESSAGES/gnutls.mo
	/usr/share/locale/es/LC_MESSAGES/gnutls.mo
	/usr/share/locale/fi/LC_MESSAGES/gnutls.mo
	/usr/share/locale/fr/LC_MESSAGES/gnutls.mo
	/usr/share/locale/it/LC_MESSAGES/gnutls.mo
	/usr/share/locale/ka/LC_MESSAGES/gnutls.mo
	/usr/share/locale/ms/LC_MESSAGES/gnutls.mo
	/usr/share/locale/nl/LC_MESSAGES/gnutls.mo
	/usr/share/locale/pl/LC_MESSAGES/gnutls.mo
	/usr/share/locale/pt_BR/LC_MESSAGES/gnutls.mo
	/usr/share/locale/ro/LC_MESSAGES/gnutls.mo
	/usr/share/locale/sr/LC_MESSAGES/gnutls.mo
	/usr/share/locale/sv/LC_MESSAGES/gnutls.mo
	/usr/share/locale/uk/LC_MESSAGES/gnutls.mo
	/usr/share/locale/vi/LC_MESSAGES/gnutls.mo
	/usr/share/locale/zh_CN/LC_MESSAGES/gnutls.mo

[scholzj]

So, as I said, we did a CVE respin on Tuesday. So if these are still in the latest images, that means the fixes were not available in the base image nor in the RPM repositories and we could not address them. The next release - 0.48.0 - will likely GA next week. That was build yesterday, so it might have some additional fixes if they were made available in the meantime.

[smazsta]

Thanks for the clarification! I understand that if the fixes aren’t in the base image or RPM repos yet, they can’t be picked up by Strimzi directly. I’ll re-check the latest respun images and test 0.48.0 once it’s out.

[ppatierno]

@smazsta the 0.48.0 RC1 is out for testing and you could already get an idea of which CVEs are fixed or present on the images https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.48.0-rc1 . Of course, between now and the GA base images could change again and the rebuild will take new fixes (or new CVEs).

[R3ason]

Is there an easy way to determine when the latest CVE re-spin was performed? We are in a similar position where the containers hosted on Quay.io are reporting several High vulns which all appear to be fixed in their latest respective packages. Cheers.

[scholzj]

Maybe from some metadata of the images?

You should start by sharing what images are you talking about, what CVEs, in what exact path etc., and we can have a look if a CVE re-spin might help or not.

[scholzj]

But just to be clear, we can do a respin for 0.48 if needed. I do not think we have any plans for any CVE respins for 0.47.

[R3ason]

Yep, that's my bad; sincere apologies for the poor form/etiquette.

I'm looking at the strimzi/kafka container images ( https://quay.io/repository/strimzi/kafka ) for the latest-kafka-4.1.0 tag > amd64 manifest:
GHSA-hcg3-q754-cr77 (NVD - CVE-2025-22869)
GHSA-78wr-2p64-hpwj (NVD - CVE-2024-47554)
GHSA-wxr5-93ph-8wr9 (NVD - CVE-2025-48734)
CVE-2025-59375
GHSA-q4rv-gq96-w7c5 (in jetty-server)
GHSA-prj3-ccx8-p6x4 (in netty-codec-http2)

cheers

[scholzj]

Yeah, but as I said, you have to share the actual path where the CVE is. Without that, there is not much I can tell.