Re: Do the Jackson security vulnerabilities affect Kafka at all?

My bad, I forgot I had checked out the 1.0.1 source which has Jackson 2.9.1... I thought the fix required 2.9.3 based on what I'd been told by the security team at a customer (the original motivation behind my email), but I dug a bit deeper and it looks like 2.9.1 has the patch

Re: Do the Jackson security vulnerabilities affect Kafka at all?

Hi Jeff, Have you checked trunk and 1.1? They should be using the latest version. Ismael On Tue, Feb 20, 2018 at 10:38 PM, Jeff Widman wrote: > The Jackson JSON parser library had a couple of CVE's announced: > 1. CVE-2017-7525 > 2. CVE 2017-15095 > > Here's a skimmable summary: > https://adam

Do the Jackson security vulnerabilities affect Kafka at all?

The Jackson JSON parser library had a couple of CVE's announced: 1. CVE-2017-7525 2. CVE 2017-15095 Here's a skimmable summary: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Looking at the source, it appears Kafka uses an older version of Jackson which has the vulnerabi