kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Akansh Shandilya (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-6737) Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489
Date Mon, 02 Apr 2018 05:23:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-6737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16421943#comment-16421943
] 

Akansh Shandilya commented on KAFKA-6737:
-----------------------------------------

Dear Ismael,

Thanks a lot, for confirmation that Kafka does not use c3p0 in the classpath. 

Regarding Jackson upgrade to 2.9.5, what is expected release date and version. I am new to
this site, so asking for help.

 

With Best Regards,

Akansh

 

> Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489
> --------------------------------------------------------
>
>                 Key: KAFKA-6737
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6737
>             Project: Kafka
>          Issue Type: Bug
>          Components: packaging, security, unit tests
>    Affects Versions: 0.10.1.0, 1.1.0, 1.0.1
>            Reporter: Akansh Shandilya
>            Priority: Critical
>
> Kafka is using FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 , which
allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525
deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the
readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0
libraries are available in the classpath.
>  
> I have checked that all released versions of Kafka are using jackson-databind before
2.8.11.1 and 2.9.x before 2.9.5.
> There are three open questions:
> Question1: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489?
> [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489]
> Question2: If answer of first question is Yes. Is there any workaround to fix it on released
version. 
> Question3: If answer of first question is Yes. Should we fix it in future versions?
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message