Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-6737

Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.10.1.0, 1.0.1, 1.1.0
    • Fix Version/s: 2.0.0
    • Component/s: packaging, security, unit tests
    • Labels:
      None

      Description

      Kafka is using FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 , which allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

       

      I have checked that all released versions of Kafka are using jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5.

      There are three open questions:

      Question1: Is Kafka imapcted by critical vulnerqbilty CVE-2018-7489?

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489

      Question2: If answer of first question is Yes. Is there any workaround to fix it on released version. 

      Question3: If answer of first question is Yes. Should we fix it in future versions?

       

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              akansh Akansh Shandilya
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: