My bad, I forgot I had checked out the 1.0.1 source which has Jackson 2.9.1...
I thought the fix required 2.9.3 based on what I'd been told by the security team at a customer (the original motivation behind my email), but I dug a bit deeper and it looks like 2.9.1 has the patch <https://github.com/FasterXML/jackson-databind/issues/1847#issuecomment-348409708>, so 1.0.1 is already protected against this. Thanks Ismael, and my apologies for wasting everyone's time. On Tue, Feb 20, 2018 at 11:49 PM, Ismael Juma <ism...@juma.me.uk> wrote: > Hi Jeff, > > Have you checked trunk and 1.1? They should be using the latest version. > > Ismael > > On Tue, Feb 20, 2018 at 10:38 PM, Jeff Widman <j...@jeffwidman.com> wrote: > > > The Jackson JSON parser library had a couple of CVE's announced: > > 1. CVE-2017-7525 > > 2. CVE 2017-15095 > > > > Here's a skimmable summary: > > https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ > > > > Looking at the source, it appears Kafka uses an older version of Jackson > > which has the vulnerabilities. > > > > However, these vulnerabilities only happen when Jackson is used in > specific > > ways. I'm not familiar enough with all the places that Kafka uses Jackson > > to understand whether Kafka is susceptible, and I come from a non-Java > > background so it's difficult for me to parse the Java source with 100% > > confidence that I understand what's happening. > > > > I know primarily Kafka uses JSON for inter-cluster communication through > > Zookeeper, so if an attacker could access Zookeeper could they update the > > znode payloads to exploit this? Additionally, I think there are some util > > scripts that (de)serialize JSON files, for example the > > partition-reassignment scripts... > > > > So do these CVE's apply to Kafka? > > > > If so, it seem the patch is fairly trivial of just upgrading to a newer > > version of Jackson... > > should this also be backported to the 1.0.1 release? > > > > > > > > -- > > > > *Jeff Widman* > > jeffwidman.com <http://www.jeffwidman.com/> | 740-WIDMAN-J (943-6265) > > <>< > > > -- *Jeff Widman* jeffwidman.com <http://www.jeffwidman.com/> | 740-WIDMAN-J (943-6265) <><
