John Stacy created KAFKA-12325:
----------------------------------
Summary: Update to secure versions of scala libraries due to
CVE-2017-15288
Key: KAFKA-12325
URL: https://issues.apache.org/jira/browse/KAFKA-12325
Project: Kafka
Issue Type: Bug
Reporter: John Stacy
h3. CVE-2017-15288 Detail
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and
2.12.x before 2.12.4 uses weak permissions for private files in
/tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local
users to write to arbitrary class files and consequently gain privileges.
h3. Scala security update
https://www.scala-lang.org/news/security-update-nov17.html
h3. Libraries Bundled with Kafka 2.7.0 with Scala 2.12
kafka_2.12-2.7.0/libs/jackson-module-scala_2.12-2.10.5.jar
kafka_2.12-2.7.0/libs/scala-collection-compat_2.12-2.2.0.jar
kafka_2.12-2.7.0/libs/scala-java8-compat_2.12-0.9.1.jar
kafka_2.12-2.7.0/libs/scala-logging_2.12-3.9.2.jar
kafka_2.12-2.7.0/libs/scala-reflect-2.12.12.jar
kafka_2.12-2.7.0/libs/scala-library-2.12.12.jar
kafka_2.12-2.7.0/libs/kafka-streams-scala_2.12-2.7.0.jar
It is unclear, but it appears that some of the 2.12 jars that Kafka is using
are not at the recommended version per the Scala security update. Perhaps the
ones that are not yet at 2.12.4 are not affected by the vulnerability? If that
is the case, please disregard, but if not, then the minimum version should
include the patch.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
