The Jackson JSON parser library had a couple of CVE's announced: 1. CVE-2017-7525 2. CVE 2017-15095
Here's a skimmable summary: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Looking at the source, it appears Kafka uses an older version of Jackson which has the vulnerabilities. However, these vulnerabilities only happen when Jackson is used in specific ways. I'm not familiar enough with all the places that Kafka uses Jackson to understand whether Kafka is susceptible, and I come from a non-Java background so it's difficult for me to parse the Java source with 100% confidence that I understand what's happening. I know primarily Kafka uses JSON for inter-cluster communication through Zookeeper, so if an attacker could access Zookeeper could they update the znode payloads to exploit this? Additionally, I think there are some util scripts that (de)serialize JSON files, for example the partition-reassignment scripts... So do these CVE's apply to Kafka? If so, it seem the patch is fairly trivial of just upgrading to a newer version of Jackson... should this also be backported to the 1.0.1 release? -- *Jeff Widman* jeffwidman.com <http://www.jeffwidman.com/> | 740-WIDMAN-J (943-6265) <><
