Dependency vulnerabilities with flink 1.11.1 version

 

Hello,

 

We are using Apache Flink 1.11.1 version. During our security scans following issues are reported by our scan tool.

 

1.Package : commons_codec-1.10

Severity: Medium

 

Description:

Apache Commons contains a flaw that is due to the Base32 codec decoding invalid strings instead of rejecting them. This may allow a remote attacker to tunnel additional information via a base 32 string that seems valid.

 

Path:

/opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec

/opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec

 

References:

https://issues.apache.org/jira/browse/CODEC-134

https://issues.apache.org/jira/browse/HTTPCLIENT-2018

 

2. Package : antlr-4.7

Severity: Medium

 

Description:

ANTLR contains a flaw in runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is triggered as it does not catch exceptions when attempting to access the TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a context-dependent attacker to potentially crash a process linked against the library.

 

Path:

/opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime

References:

https://github.com/antlr/antlr4/issues/2069

 

3. Package : mesos-1.0.1

Severity: Medium

 

Description:

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

Path:

/opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos

 

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-8023

 

4. Package : okhttp-3.7.0

Severity: Medium

 

Description:

** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

Path:

/opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-20200

 

5. Package : commons_io-2.4

Severity: Medium

 

Description:

Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files.

Path:

/opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io

/opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io

 

References:

https://issues.apache.org/jira/browse/IO-556

 

Please let us know your comments on these issues and fix plans.

 

Regards,

Suchithra

Hi Suchithra,

thanks for doing this analysis. I think we should try to upgrade the affected libraries. I have opened issues to do these changes [1, 2, 3, 4, 5]. In the future, it would be great if you could first reach out to [hidden email] so that we can fix these problems without drawing attention to them.

[1] https://issues.apache.org/jira/browse/FLINK-19781

[2] https://issues.apache.org/jira/browse/FLINK-19782

[3] https://issues.apache.org/jira/browse/FLINK-19783

[4] https://issues.apache.org/jira/browse/FLINK-19784

[5] https://issues.apache.org/jira/browse/FLINK-19785

Cheers,

Till

On Thu, Oct 22, 2020 at 12:56 PM V N, Suchithra (Nokia - IN/Bangalore) <[hidden email]> wrote:

 

Hello,

 

We are using Apache Flink 1.11.1 version. During our security scans following issues are reported by our scan tool.

 

1.Package : commons_codec-1.10

Severity: Medium

 

Description:

Apache Commons contains a flaw that is due to the Base32 codec decoding invalid strings instead of rejecting them. This may allow a remote attacker to tunnel additional information via a base 32 string that seems valid.

 

Path:

/opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec

/opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec

 

References:

https://issues.apache.org/jira/browse/CODEC-134

https://issues.apache.org/jira/browse/HTTPCLIENT-2018

 

2. Package : antlr-4.7

Severity: Medium

 

Description:

ANTLR contains a flaw in runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is triggered as it does not catch exceptions when attempting to access the TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a context-dependent attacker to potentially crash a process linked against the library.

 

Path:

/opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime

References:

https://github.com/antlr/antlr4/issues/2069

 

3. Package : mesos-1.0.1

Severity: Medium

 

Description:

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

Path:

/opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos

 

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-8023

 

4. Package : okhttp-3.7.0

Severity: Medium

 

Description:

** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

Path:

/opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-20200

 

5. Package : commons_io-2.4

Severity: Medium

 

Description:

Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files.

Path:

/opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io

/opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io

 

References:

https://issues.apache.org/jira/browse/IO-556

 

Please let us know your comments on these issues and fix plans.

 

Regards,

Suchithra

Hey Suchithra,

thanks a lot for this report. I'm in the process of closing all the tickets Till has created (by pushing version upgrades to Flink).

The fixes will be released with the upcoming Flink 1.12 release.

I have decided against backporting the fixes to the 1.11 line of Flink, because they usually require large dependency version jumps, and none of the vulnerabilities reported have a confirmed case of directly affecting Flink. For example the issue in commons-io affects the FileNameUtils.normalize, which we are not using in Flink.

Best,
Robert

On Fri, Oct 23, 2020 at 10:55 AM Till Rohrmann <[hidden email]> wrote:

Hi Suchithra,

thanks for doing this analysis. I think we should try to upgrade the affected libraries. I have opened issues to do these changes [1, 2, 3, 4, 5]. In the future, it would be great if you could first reach out to [hidden email] so that we can fix these problems without drawing attention to them.

[1] https://issues.apache.org/jira/browse/FLINK-19781

[2] https://issues.apache.org/jira/browse/FLINK-19782

[3] https://issues.apache.org/jira/browse/FLINK-19783

[4] https://issues.apache.org/jira/browse/FLINK-19784

[5] https://issues.apache.org/jira/browse/FLINK-19785

Cheers,

Till

On Thu, Oct 22, 2020 at 12:56 PM V N, Suchithra (Nokia - IN/Bangalore) <[hidden email]> wrote:

 

Hello,

 

We are using Apache Flink 1.11.1 version. During our security scans following issues are reported by our scan tool.

 

1.Package : commons_codec-1.10

Severity: Medium

 

Description:

Apache Commons contains a flaw that is due to the Base32 codec decoding invalid strings instead of rejecting them. This may allow a remote attacker to tunnel additional information via a base 32 string that seems valid.

 

Path:

/opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec

/opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec

 

References:

https://issues.apache.org/jira/browse/CODEC-134

https://issues.apache.org/jira/browse/HTTPCLIENT-2018

 

2. Package : antlr-4.7

Severity: Medium

 

Description:

ANTLR contains a flaw in runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is triggered as it does not catch exceptions when attempting to access the TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a context-dependent attacker to potentially crash a process linked against the library.

 

Path:

/opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime

References:

https://github.com/antlr/antlr4/issues/2069

 

3. Package : mesos-1.0.1

Severity: Medium

 

Description:

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

Path:

/opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos

 

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-8023

 

4. Package : okhttp-3.7.0

Severity: Medium

 

Description:

** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

Path:

/opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-20200

 

5. Package : commons_io-2.4

Severity: Medium

 

Description:

Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files.

Path:

/opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io

/opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io

 

References:

https://issues.apache.org/jira/browse/IO-556

 

Please let us know your comments on these issues and fix plans.

 

Regards,

Suchithra