[
https://issues.apache.org/jira/browse/KAFKA-14267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zach Fry updated KAFKA-14267:
-----------------------------
Description:
[https://nvd.nist.gov/vuln/detail/CVE-2022-36944]
This is marked as CRITICAL severity vulnerability with a 9.8 score (out of 10).
{quote}Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR
file. On its own, it cannot be exploited. There is only a risk in conjunction
with LazyList object deserialization within an application. In such situations,
it allows attackers to erase contents of arbitrary files, make network
connections, or possibly run arbitrary code (specifically, Function0 functions)
via a gadget chain.
{quote}
It looks like the default scala version used to build kafka on trunk is
[https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L31.]
I'm not super sure what the kafka EOL policy is, but if we could get this
backported to the 2.8 branch as well that'd be fantastic.
was:
[https://nvd.nist.gov/vuln/detail/CVE-2022-36944]
{quote}Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR
file. On its own, it cannot be exploited. There is only a risk in conjunction
with LazyList object deserialization within an application. In such situations,
it allows attackers to erase contents of arbitrary files, make network
connections, or possibly run arbitrary code (specifically, Function0 functions)
via a gadget chain.
{quote}
It looks like the default scala version used to build kafka on trunk is
[https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L31.]
I'm not super sure what the kafka EOL policy is, but if we could get this
backported to the 2.8 branch as well that'd be fantastic.
> CVE-2022-36944 - Scala deserialization bug
> ------------------------------------------
>
> Key: KAFKA-14267
> URL: https://issues.apache.org/jira/browse/KAFKA-14267
> Project: Kafka
> Issue Type: Bug
> Reporter: Zach Fry
> Priority: Major
>
> [https://nvd.nist.gov/vuln/detail/CVE-2022-36944]
> This is marked as CRITICAL severity vulnerability with a 9.8 score (out of
> 10).
> {quote}Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR
> file. On its own, it cannot be exploited. There is only a risk in conjunction
> with LazyList object deserialization within an application. In such
> situations, it allows attackers to erase contents of arbitrary files, make
> network connections, or possibly run arbitrary code (specifically, Function0
> functions) via a gadget chain.
> {quote}
>
> It looks like the default scala version used to build kafka on trunk is
> [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L31.]
> I'm not super sure what the kafka EOL policy is, but if we could get this
> backported to the 2.8 branch as well that'd be fantastic.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
