You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Akansh Shandilya (JIRA)" <ji...@apache.org> on 2018/04/02 05:04:00 UTC

[jira] [Created] (KAFKA-6737) Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489

Akansh Shandilya created KAFKA-6737:
---------------------------------------

             Summary: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489
                 Key: KAFKA-6737
                 URL: https://issues.apache.org/jira/browse/KAFKA-6737
             Project: Kafka
          Issue Type: Bug
          Components: packaging, security, unit tests
    Affects Versions: 1.0.1, 1.1.0, 0.10.1.0
            Reporter: Akansh Shandilya


Kafka is using FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 , which allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

 

I have checked that all released versions of Kafka are using jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5.

There are three open questions:

Question1: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489?

[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489]

Question2: If answer of first question is Yes. Is there any workaround to fix it on released version. 

Question3: If answer of first question is Yes. Should we fix it in future versions?

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)