Kafka is using FasterXML jackson-databind before 220.127.116.11 and 2.9.x before 2.9.5 , which allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
I have checked that all released versions of Kafka are using jackson-databind before 18.104.22.168 and 2.9.x before 2.9.5.
There are three open questions:
Question1: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489?
Question2: If answer of first question is Yes. Is there any workaround to fix it on released version.
Question3: If answer of first question is Yes. Should we fix it in future versions?