You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Zach Fry (Jira)" <ji...@apache.org> on 2022/09/29 16:28:00 UTC

[jira] [Created] (KAFKA-14267) CVE-2022-36944 - Scala deserialization bug

Zach Fry created KAFKA-14267:
--------------------------------

             Summary: CVE-2022-36944 - Scala deserialization bug
                 Key: KAFKA-14267
                 URL: https://issues.apache.org/jira/browse/KAFKA-14267
             Project: Kafka
          Issue Type: Bug
            Reporter: Zach Fry


[https://nvd.nist.gov/vuln/detail/CVE-2022-36944]
{quote}Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
{quote}
 

It looks like the default scala version used to build kafka on trunk is [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L31.] 

I'm not super sure what the kafka EOL policy is, but if we could get this backported to the 2.8 branch as well that'd be fantastic. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)