To add to this: we can't upgrade to flink-shaded 18.0, since we've just reverted that for Flink 1.19 because of the performance regression. We will need a new flink-shaded version to deal with these performance regressions.
On Fri, Feb 2, 2024 at 9:39 AM Martijn Visser <martijnvis...@apache.org> wrote: > Hi Hong, > > I do have objections: upgrading Flink-Shaded in a patch version is > something that we should not take lightly, since it involves components > that are used in the core functionality of Flink. We've seen in the past > that changes in Flink Shaded have an impact on stability and performance. I > would like to see how Flink is affected by these CVEs, since in almost all > cases these are false-positives for Flink. > > Best regards, > > Martijn > > On Thu, Feb 1, 2024 at 4:22 PM Hong Liang <h...@apache.org> wrote: > >> Hi all, >> >> Recently, we detected some active CVEs on the flink-shaded-guava and >> flink-shaded-zookeeper package used in Flink 1.18. Since Flink 1.18 is >> still in support for security fixes, we should consider fixing this. >> However, since the vulnerable package is coming from flink-shaded, I >> wanted >> to check if there are thoughts from the community around releasing a patch >> version of flink-shaded. >> >> Problem: >> Flink 1.18 uses guava 31.1-jre from flink-shaded-guava 17.0, which is >> affected by CVE-2023-2976 (HIGH) [1] and CVE-2020-8908 (LOW) [2]. Flink >> 1.18 also uses zookeeper 3.7.1, which is affected by CVE-2023-44981 >> (CRITICAL) [3]. >> >> To fix, I can think of two options: >> Option 1: >> Upgrade Flink 1.18 to use flink.shaded.version 18.0. This is easiest as we >> can backport the change for Flink 1.19 directly (after the performance >> regression is addressed) [4]. However, there are also upgrades to jackson, >> asm and netty in flink.shaded.version 1.18. >> >> Option 2: >> Release flink.shaded.version 17.1, with just a bump in zookeeper and guava >> versions. Then, upgrade Flink 1.18 to use this new flink.shaded.version >> 17.1. This is harder, but keeps the changes contained and minimal. >> >> Given the version bump is on flink-shaded, which is relocated to keep the >> usage of libraries contained within the flink runtime itself, I am >> inclined >> to go with Option 1, even though the change is slightly larger than just >> the security fixes. >> >> Do people have any objections? >> >> >> Regards, >> Hong >> >> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-2976 >> [2] https://nvd.nist.gov/vuln/detail/CVE-2020-8908 >> [3] https://nvd.nist.gov/vuln/detail/CVE-2023-44981 >> [4] https://issues.apache.org/jira/browse/FLINK-33705 >> >
