[ https://issues.apache.org/jira/browse/KAFKA-14267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611180#comment-17611180 ]
Zach Fry commented on KAFKA-14267: ---------------------------------- Upon some investigation, I wasn't able to find anywhere in the Kafka codebase that uses `LazyList` data structures. Though it would be great if a maintainer can confirm that this is the case. > CVE-2022-36944 - Scala deserialization bug > ------------------------------------------ > > Key: KAFKA-14267 > URL: https://issues.apache.org/jira/browse/KAFKA-14267 > Project: Kafka > Issue Type: Bug > Reporter: Zach Fry > Priority: Major > > [https://nvd.nist.gov/vuln/detail/CVE-2022-36944] > This is marked as CRITICAL severity vulnerability with a 9.8 score (out of > 10). > {quote}Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR > file. On its own, it cannot be exploited. There is only a risk in conjunction > with LazyList object deserialization within an application. In such > situations, it allows attackers to erase contents of arbitrary files, make > network connections, or possibly run arbitrary code (specifically, Function0 > functions) via a gadget chain. > {quote} > > It looks like the default scala version used to build kafka on trunk is > [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L31.] > I'm not super sure what the kafka EOL policy is, but if we could get this > backported to the 2.8 branch as well that'd be fantastic. -- This message was sent by Atlassian Jira (v8.20.10#820010)