John Stacy created KAFKA-12325: ---------------------------------- Summary: Update to secure versions of scala libraries due to CVE-2017-15288 Key: KAFKA-12325 URL: https://issues.apache.org/jira/browse/KAFKA-12325 Project: Kafka Issue Type: Bug Reporter: John Stacy
h3. CVE-2017-15288 Detail The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges. h3. Scala security update https://www.scala-lang.org/news/security-update-nov17.html h3. Libraries Bundled with Kafka 2.7.0 with Scala 2.12 kafka_2.12-2.7.0/libs/jackson-module-scala_2.12-2.10.5.jar kafka_2.12-2.7.0/libs/scala-collection-compat_2.12-2.2.0.jar kafka_2.12-2.7.0/libs/scala-java8-compat_2.12-0.9.1.jar kafka_2.12-2.7.0/libs/scala-logging_2.12-3.9.2.jar kafka_2.12-2.7.0/libs/scala-reflect-2.12.12.jar kafka_2.12-2.7.0/libs/scala-library-2.12.12.jar kafka_2.12-2.7.0/libs/kafka-streams-scala_2.12-2.7.0.jar It is unclear, but it appears that some of the 2.12 jars that Kafka is using are not at the recommended version per the Scala security update. Perhaps the ones that are not yet at 2.12.4 are not affected by the vulnerability? If that is the case, please disregard, but if not, then the minimum version should include the patch. -- This message was sent by Atlassian Jira (v8.3.4#803005)