[jira] [Resolved] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)?

["John Stacy (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/KAFKA-12325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

John Stacy resolved KAFKA-12325.
--------------------------------
    Resolution: Not A Problem

> Is Kafka affected by Scala security vulnerability (CVE-2017-15288)?
> -------------------------------------------------------------------
>
>                 Key: KAFKA-12325
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12325
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: John Stacy
>            Priority: Major
>
> h3. CVE-2017-15288 Detail
> The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
> h3. Scala security update
> https://www.scala-lang.org/news/security-update-nov17.html
> h3. Libraries Bundled with Kafka 2.7.0 with Scala 2.12
> kafka_2.12-2.7.0/libs/jackson-module-scala_2.12-2.10.5.jar
> kafka_2.12-2.7.0/libs/scala-collection-compat_2.12-2.2.0.jar
> kafka_2.12-2.7.0/libs/scala-java8-compat_2.12-0.9.1.jar
> kafka_2.12-2.7.0/libs/scala-logging_2.12-3.9.2.jar
> kafka_2.12-2.7.0/libs/scala-reflect-2.12.12.jar
> kafka_2.12-2.7.0/libs/scala-library-2.12.12.jar
> kafka_2.12-2.7.0/libs/kafka-streams-scala_2.12-2.7.0.jar
> It is unclear, but it appears that some of the 2.12 jars that Kafka is using are not at the recommended version per the Scala security update. Perhaps the ones that are not yet at 2.12.4 are not affected by the vulnerability? If that is the case, please disregard, but if not, then the minimum version should include the patch.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)