[
https://issues.apache.org/jira/browse/KAFKA-12325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
John Stacy resolved KAFKA-12325.
--------------------------------
Resolution: Not A Problem
> Is Kafka affected by Scala security vulnerability (CVE-2017-15288)?
> -------------------------------------------------------------------
>
> Key: KAFKA-12325
> URL: https://issues.apache.org/jira/browse/KAFKA-12325
> Project: Kafka
> Issue Type: Bug
> Reporter: John Stacy
> Priority: Major
>
> h3. CVE-2017-15288 Detail
> The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and
> 2.12.x before 2.12.4 uses weak permissions for private files in
> /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows
> local users to write to arbitrary class files and consequently gain
> privileges.
> h3. Scala security update
> https://www.scala-lang.org/news/security-update-nov17.html
> h3. Libraries Bundled with Kafka 2.7.0 with Scala 2.12
> kafka_2.12-2.7.0/libs/jackson-module-scala_2.12-2.10.5.jar
> kafka_2.12-2.7.0/libs/scala-collection-compat_2.12-2.2.0.jar
> kafka_2.12-2.7.0/libs/scala-java8-compat_2.12-0.9.1.jar
> kafka_2.12-2.7.0/libs/scala-logging_2.12-3.9.2.jar
> kafka_2.12-2.7.0/libs/scala-reflect-2.12.12.jar
> kafka_2.12-2.7.0/libs/scala-library-2.12.12.jar
> kafka_2.12-2.7.0/libs/kafka-streams-scala_2.12-2.7.0.jar
> It is unclear, but it appears that some of the 2.12 jars that Kafka is using
> are not at the recommended version per the Scala security update. Perhaps the
> ones that are not yet at 2.12.4 are not affected by the vulnerability? If
> that is the case, please disregard, but if not, then the minimum version
> should include the patch.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
