Security vulnerabilities of dependencies in Flink 1.11.1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security vulnerabilities of dependencies in Flink 1.11.1

shravan
issues.docx
<http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/file/t2439/issues.docx>  

Hello,

We are using Apache Flink 1.11.1 version and our security scans report the
following issues.  
Please let us know your comments on these security vulnerabilities and fix
plans for them.

PFA a word document with details in regard to CVE numbers, details, and it's
severity.

Issues in a nutshell,
1. Flink-shaded-netty, has netty 4.1.39 which is vulnerable
2. Flink-shaded-jackson, has snakeyaml 1.24 which is vulnerable
3. Flink-table, has vulnerable version of Jackson-databind in table APIs

Looking forward on a response.

Thanks,
Shravan



--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities of dependencies in Flink 1.11.1

Arvid Heise-3
Hi Shravan,

we periodically bump version numbers, especially for major releases and basic dependencies such as netty.

However, running a simple scan over dependencies is not that useful without also checking whether the reported issues are actually triggered by code. For example, we are not using jackson to process YAML, so that this vulnerability is not triggered at all. If you are not ingesting Json through table API, then the outdated jackson-databind is actually not a security issue as well.

Nevertheless, the respective teams will take a closer look at the report though. If we see that the vulnerabilities are actively used, then we will bump soonish.

How do these potential vulnerabilities affect your operations? I'd assume that most users run isolated Flink clusters if not isolated applications. Then, the netty vulnerability could never be exploited because netty ports should not be exposed. On the other hand, if your Flink cluster is fully exposed, then you may have bigger problems then the dependencies.

Best,

Arvid

On Mon, Aug 31, 2020 at 9:13 AM shravan <[hidden email]> wrote:
issues.docx
<http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/file/t2439/issues.docx

Hello,

We are using Apache Flink 1.11.1 version and our security scans report the
following issues. 
Please let us know your comments on these security vulnerabilities and fix
plans for them.

PFA a word document with details in regard to CVE numbers, details, and it's
severity.

Issues in a nutshell,
1. Flink-shaded-netty, has netty 4.1.39 which is vulnerable
2. Flink-shaded-jackson, has snakeyaml 1.24 which is vulnerable
3. Flink-table, has vulnerable version of Jackson-databind in table APIs

Looking forward on a response.

Thanks,
Shravan



--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/


--

Arvid Heise | Senior Java Developer


Follow us @VervericaData

--

Join Flink Forward - The Apache Flink Conference

Stream Processing | Event Driven | Real Time

--

Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany

--

Ververica GmbH
Registered at Amtsgericht Charlottenburg: HRB 158244 B
Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng