[ https://issues.apache.org/jira/browse/KAFKA-6737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manikumar resolved KAFKA-6737. ------------------------------ Resolution: Fixed Fix Version/s: 2.0.0 This will be fixed part of upcoming 2.00, 1.1.1, 1.0.2 releases. > Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489 > -------------------------------------------------------- > > Key: KAFKA-6737 > URL: https://issues.apache.org/jira/browse/KAFKA-6737 > Project: Kafka > Issue Type: Bug > Components: packaging, security, unit tests > Affects Versions: 0.10.1.0, 1.1.0, 1.0.1 > Reporter: Akansh Shandilya > Priority: Critical > Fix For: 2.0.0 > > > Kafka is using FasterXML jackson-databind before 2.8.11.1 and 2.9.x before > 2.9.5 , which allows unauthenticated remote code execution because of an > incomplete fix for the CVE-2017-7525 deserialization flaw. This is > exploitable by sending maliciously crafted JSON input to the readValue method > of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 > libraries are available in the classpath. > > I have checked that all released versions of Kafka are using jackson-databind > before 2.8.11.1 and 2.9.x before 2.9.5. > There are three open questions: > Question1: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489? > [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489] > Question2: If answer of first question is Yes. Is there any workaround to fix > it on released version. > Question3: If answer of first question is Yes. Should we fix it in future > versions? > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)