You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "John Stacy (Jira)" <ji...@apache.org> on 2021/02/11 20:53:00 UTC
[jira] [Created] (KAFKA-12325) Update to secure versions of scala
libraries due to CVE-2017-15288
John Stacy created KAFKA-12325:
----------------------------------
Summary: Update to secure versions of scala libraries due to CVE-2017-15288
Key: KAFKA-12325
URL: https://issues.apache.org/jira/browse/KAFKA-12325
Project: Kafka
Issue Type: Bug
Reporter: John Stacy
h3. CVE-2017-15288 Detail
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
h3. Scala security update
https://www.scala-lang.org/news/security-update-nov17.html
h3. Libraries Bundled with Kafka 2.7.0 with Scala 2.12
kafka_2.12-2.7.0/libs/jackson-module-scala_2.12-2.10.5.jar
kafka_2.12-2.7.0/libs/scala-collection-compat_2.12-2.2.0.jar
kafka_2.12-2.7.0/libs/scala-java8-compat_2.12-0.9.1.jar
kafka_2.12-2.7.0/libs/scala-logging_2.12-3.9.2.jar
kafka_2.12-2.7.0/libs/scala-reflect-2.12.12.jar
kafka_2.12-2.7.0/libs/scala-library-2.12.12.jar
kafka_2.12-2.7.0/libs/kafka-streams-scala_2.12-2.7.0.jar
It is unclear, but it appears that some of the 2.12 jars that Kafka is using are not at the recommended version per the Scala security update. Perhaps the ones that are not yet at 2.12.4 are not affected by the vulnerability? If that is the case, please disregard, but if not, then the minimum version should include the patch.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)