Miguel Costa created FLINK-19195:
------------------------------------
Summary: question on security vulnerabilities in flink
Key: FLINK-19195
URL: https://issues.apache.org/jira/browse/FLINK-19195
Project: Flink
Issue Type: Wish
Components: flink-docker
Affects Versions: docker-1.11.0.0
Reporter: Miguel Costa
Fix For: 1.12.0
Hi All,
Sorry if this is the wrong place but I was in github, website and other places
and I could not find what I was looking for.
I'm starting to learn about flink and I'm using this image for some of my
explorations:
docker pull amd64/flink:1.11-scala_2.11-java11
I'm using it in our development cluster in my company and when generating my
image based on this I get some errors from the security report (from an
external provider) that prevent me from generating an image (it's something on
our side).
I just wanted to know if this is indeed an error and it could be fixed in the
future.
This is what I got:
CVE Package Version Severity Status CVSS
— ------- ------- -------- ------ ----
CVE-2019-20444 io.netty_netty-codec 4.1.34.Final critical fixed in 4.1.44 9.1
CVE-2019-20445 io.netty_netty-codec 4.1.34.Final critical fixed in 4.1.44 9.1
CVE-2020-11612 io.netty_netty-codec 4.1.34.Final critical fixed in 4.1.46 9.8
CVE-2019-16869 io.netty_netty-codec 4.1.34.Final high fixed in 4.1.42.Final 7.5
CVE-2019-20444 and CVE-2019-20445 in theory was fixed in FLINK-16961 but I
still see it in my report.
CVE-2020-11612 and CVE-2019-16869 I found it in FLINK-16356 but this one is
still open.
So I was just wondering if maybe FLINK-16961 fixed only some of the components
but some others are still being used?
If I searched in github I found this problematic versions in:
flink-connector-cassandra (io.netty:netty-codec:4.1.44.Final)
flink-connector-elasticsearch5 (io.netty:netty-codec:4.1.44.Final)
flink-python - (io.netty:netty-codec:4.1.42.Final)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
