[
https://issues.apache.org/jira/browse/KAFKA-14267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611180#comment-17611180
]
Zach Fry commented on KAFKA-14267:
----------------------------------
Upon some investigation, I wasn't able to find anywhere in the Kafka codebase
that uses `LazyList` data structures. Though it would be great if a maintainer
can confirm that this is the case.
> CVE-2022-36944 - Scala deserialization bug
> ------------------------------------------
>
> Key: KAFKA-14267
> URL: https://issues.apache.org/jira/browse/KAFKA-14267
> Project: Kafka
> Issue Type: Bug
> Reporter: Zach Fry
> Priority: Major
>
> [https://nvd.nist.gov/vuln/detail/CVE-2022-36944]
> This is marked as CRITICAL severity vulnerability with a 9.8 score (out of
> 10).
> {quote}Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR
> file. On its own, it cannot be exploited. There is only a risk in conjunction
> with LazyList object deserialization within an application. In such
> situations, it allows attackers to erase contents of arbitrary files, make
> network connections, or possibly run arbitrary code (specifically, Function0
> functions) via a gadget chain.
> {quote}
>
> It looks like the default scala version used to build kafka on trunk is
> [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L31.]
> I'm not super sure what the kafka EOL policy is, but if we could get this
> backported to the 2.8 branch as well that'd be fantastic.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
