Hi Hong, I do have objections: upgrading Flink-Shaded in a patch version is something that we should not take lightly, since it involves components that are used in the core functionality of Flink. We've seen in the past that changes in Flink Shaded have an impact on stability and performance. I would like to see how Flink is affected by these CVEs, since in almost all cases these are false-positives for Flink.
Best regards, Martijn On Thu, Feb 1, 2024 at 4:22 PM Hong Liang <h...@apache.org> wrote: > Hi all, > > Recently, we detected some active CVEs on the flink-shaded-guava and > flink-shaded-zookeeper package used in Flink 1.18. Since Flink 1.18 is > still in support for security fixes, we should consider fixing this. > However, since the vulnerable package is coming from flink-shaded, I wanted > to check if there are thoughts from the community around releasing a patch > version of flink-shaded. > > Problem: > Flink 1.18 uses guava 31.1-jre from flink-shaded-guava 17.0, which is > affected by CVE-2023-2976 (HIGH) [1] and CVE-2020-8908 (LOW) [2]. Flink > 1.18 also uses zookeeper 3.7.1, which is affected by CVE-2023-44981 > (CRITICAL) [3]. > > To fix, I can think of two options: > Option 1: > Upgrade Flink 1.18 to use flink.shaded.version 18.0. This is easiest as we > can backport the change for Flink 1.19 directly (after the performance > regression is addressed) [4]. However, there are also upgrades to jackson, > asm and netty in flink.shaded.version 1.18. > > Option 2: > Release flink.shaded.version 17.1, with just a bump in zookeeper and guava > versions. Then, upgrade Flink 1.18 to use this new flink.shaded.version > 17.1. This is harder, but keeps the changes contained and minimal. > > Given the version bump is on flink-shaded, which is relocated to keep the > usage of libraries contained within the flink runtime itself, I am inclined > to go with Option 1, even though the change is slightly larger than just > the security fixes. > > Do people have any objections? > > > Regards, > Hong > > [1] https://nvd.nist.gov/vuln/detail/CVE-2023-2976 > [2] https://nvd.nist.gov/vuln/detail/CVE-2020-8908 > [3] https://nvd.nist.gov/vuln/detail/CVE-2023-44981 > [4] https://issues.apache.org/jira/browse/FLINK-33705 >
