(DEPRECATED) Apache Flink User Mailing List archive.

Dependency vulnerabilities with flink 1.12.3

Classic

List

Threaded

1 message

V N, Suchithra (Nokia - IN/Bangalore)

Dependency vulnerabilities with flink 1.12.3

Hello,

Following dependency vulnerabilities found with flink 1.12.3 version. Please provide your input on this.

commons-io-2.7

Severity: High

Description: Apache Commons IO contains a flaw that is due to the program failing to restrict which class can be serialized. This may allow a remote attacker to execute arbitrary Java code via deserialization methods.

References:

https://issues.apache.org/jira/browse/IO-675

Paths:

/opt/flink/lib/flink-dist_2.11-1.12.3.jar:commons-io (fixed in: 2.8.0)

/opt/flink/lib/flink-table-blink_2.11-1.12.3.jar:commons-io (fixed in: 2.8.0)

guava -14.0.1

Severity: High

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Paths:

/opt/flink/examples/streaming/Twitter.jar:guava (fixed in: 23.6.1, 24.1.1, 25.0)

commons-compress-1.20

Severity: High

Desciption: Apache Commons Compress contains a flaw in the ZipFile::readCentralDirectoryEntry() function in main/java/org/apache/commons/compress/archivers/zip/ZipFile.java related to an uncaught exception. This may allow a context-dependent attacker to crash a process linked against the library.

Paths:

/opt/flink/lib/flink-dist_2.11-1.12.3.jar:commons-compress

/opt/flink/opt/flink-python_2.11-1.12.3.jar:commons-compress

References:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33462