Hi Jeff, Have you checked trunk and 1.1? They should be using the latest version.
Ismael On Tue, Feb 20, 2018 at 10:38 PM, Jeff Widman <j...@jeffwidman.com> wrote: > The Jackson JSON parser library had a couple of CVE's announced: > 1. CVE-2017-7525 > 2. CVE 2017-15095 > > Here's a skimmable summary: > https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ > > Looking at the source, it appears Kafka uses an older version of Jackson > which has the vulnerabilities. > > However, these vulnerabilities only happen when Jackson is used in specific > ways. I'm not familiar enough with all the places that Kafka uses Jackson > to understand whether Kafka is susceptible, and I come from a non-Java > background so it's difficult for me to parse the Java source with 100% > confidence that I understand what's happening. > > I know primarily Kafka uses JSON for inter-cluster communication through > Zookeeper, so if an attacker could access Zookeeper could they update the > znode payloads to exploit this? Additionally, I think there are some util > scripts that (de)serialize JSON files, for example the > partition-reassignment scripts... > > So do these CVE's apply to Kafka? > > If so, it seem the patch is fairly trivial of just upgrading to a newer > version of Jackson... > should this also be backported to the 1.0.1 release? > > > > -- > > *Jeff Widman* > jeffwidman.com <http://www.jeffwidman.com/> | 740-WIDMAN-J (943-6265) > <>< >
