Re: Security vulnerabilities of dependencies in Flink 1.11.1
Posted by Arvid Heise-3 on
URL: http://deprecated-apache-flink-user-mailing-list-archive.369.s1.nabble.com/Security-vulnerabilities-of-dependencies-in-Flink-1-11-1-tp37829p37838.html
--
Registered at Amtsgericht Charlottenburg: HRB 158244 B
Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng
URL: http://deprecated-apache-flink-user-mailing-list-archive.369.s1.nabble.com/Security-vulnerabilities-of-dependencies-in-Flink-1-11-1-tp37829p37838.html
Hi Shravan,
we periodically bump version numbers, especially for major releases and basic dependencies such as netty.
However, running a simple scan over dependencies is not that useful without also checking whether the reported issues are actually triggered by code. For example, we are not using jackson to process YAML, so that this vulnerability is not triggered at all. If you are not ingesting Json through table API, then the outdated jackson-databind is actually not a security issue as well.
Nevertheless, the respective teams will take a closer look at the report though. If we see that the vulnerabilities are actively used, then we will bump soonish.
How do these potential vulnerabilities affect your operations? I'd assume that most users run isolated Flink clusters if not isolated applications. Then, the netty vulnerability could never be exploited because netty ports should not be exposed. On the other hand, if your Flink cluster is fully exposed, then you may have bigger problems then the dependencies.
Best,
Arvid
On Mon, Aug 31, 2020 at 9:13 AM shravan <[hidden email]> wrote:
issues.docx
<http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/file/t2439/issues.docx>
Hello,
We are using Apache Flink 1.11.1 version and our security scans report the
following issues.
Please let us know your comments on these security vulnerabilities and fix
plans for them.
PFA a word document with details in regard to CVE numbers, details, and it's
severity.
Issues in a nutshell,
1. Flink-shaded-netty, has netty 4.1.39 which is vulnerable
2. Flink-shaded-jackson, has snakeyaml 1.24 which is vulnerable
3. Flink-table, has vulnerable version of Jackson-databind in table APIs
Looking forward on a response.
Thanks,
Shravan
--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
--
Arvid Heise | Senior Java Developer
Follow us @VervericaData
--
Join Flink Forward - The Apache Flink Conference
Stream Processing | Event Driven | Real Time
--
Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany
--
Ververica GmbHRegistered at Amtsgericht Charlottenburg: HRB 158244 B
Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng
| Free forum by Nabble | Edit this page |