You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Manikumar (JIRA)" <ji...@apache.org> on 2018/06/19 13:46:00 UTC
[jira] [Resolved] (KAFKA-6737) Is Kafka imapcted by critical
vulnerqbilty CVE-2018-7489
[ https://issues.apache.org/jira/browse/KAFKA-6737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manikumar resolved KAFKA-6737.
------------------------------
Resolution: Fixed
Fix Version/s: 2.0.0
This will be fixed part of upcoming 2.00, 1.1.1, 1.0.2 releases.
> Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489
> --------------------------------------------------------
>
> Key: KAFKA-6737
> URL: https://issues.apache.org/jira/browse/KAFKA-6737
> Project: Kafka
> Issue Type: Bug
> Components: packaging, security, unit tests
> Affects Versions: 0.10.1.0, 1.1.0, 1.0.1
> Reporter: Akansh Shandilya
> Priority: Critical
> Fix For: 2.0.0
>
>
> Kafka is using FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 , which allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
>
> I have checked that all released versions of Kafka are using jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5.
> There are three open questions:
> Question1: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489?
> [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489]
> Question2: If answer of first question is Yes. Is there any workaround to fix it on released version.
> Question3: If answer of first question is Yes. Should we fix it in future versions?
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)