Guava CVEs don't apply because it's all about using it's createTempDir
method which we don't use.
Zookeeper CVE doesn't really apply because it's a server-side issue.
On 02/02/2024 09:42, Martijn Visser wrote:
To add to this: we can't upgrade to flink-shaded 18.0, since we've just
reverted that for Flink 1.19 because of the performance regression. We will
need a new flink-shaded version to deal with these performance regressions.
On Fri, Feb 2, 2024 at 9:39 AM Martijn Visser <martijnvis...@apache.org>
wrote:
Hi Hong,
I do have objections: upgrading Flink-Shaded in a patch version is
something that we should not take lightly, since it involves components
that are used in the core functionality of Flink. We've seen in the past
that changes in Flink Shaded have an impact on stability and performance. I
would like to see how Flink is affected by these CVEs, since in almost all
cases these are false-positives for Flink.
Best regards,
Martijn
On Thu, Feb 1, 2024 at 4:22 PM Hong Liang <h...@apache.org> wrote:
Hi all,
Recently, we detected some active CVEs on the flink-shaded-guava and
flink-shaded-zookeeper package used in Flink 1.18. Since Flink 1.18 is
still in support for security fixes, we should consider fixing this.
However, since the vulnerable package is coming from flink-shaded, I
wanted
to check if there are thoughts from the community around releasing a patch
version of flink-shaded.
Problem:
Flink 1.18 uses guava 31.1-jre from flink-shaded-guava 17.0, which is
affected by CVE-2023-2976 (HIGH) [1] and CVE-2020-8908 (LOW) [2]. Flink
1.18 also uses zookeeper 3.7.1, which is affected by CVE-2023-44981
(CRITICAL) [3].
To fix, I can think of two options:
Option 1:
Upgrade Flink 1.18 to use flink.shaded.version 18.0. This is easiest as we
can backport the change for Flink 1.19 directly (after the performance
regression is addressed) [4]. However, there are also upgrades to jackson,
asm and netty in flink.shaded.version 1.18.
Option 2:
Release flink.shaded.version 17.1, with just a bump in zookeeper and guava
versions. Then, upgrade Flink 1.18 to use this new flink.shaded.version
17.1. This is harder, but keeps the changes contained and minimal.
Given the version bump is on flink-shaded, which is relocated to keep the
usage of libraries contained within the flink runtime itself, I am
inclined
to go with Option 1, even though the change is slightly larger than just
the security fixes.
Do people have any objections?
Regards,
Hong
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-2976
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-8908
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-44981
[4] https://issues.apache.org/jira/browse/FLINK-33705
