[jira] [Commented] (FLINK-19195) question on security vulnerabilities in flink

Mon, 14 Sep 2020 02:01:12 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-19195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17195307#comment-17195307
 ] 

Chesnay Schepler commented on FLINK-19195:
------------------------------------------

FLINK-16961 bumped the netty version for transitive dependencies, whereas 
FLINK-18660 targets the netty dependency used by Flink itself.

> question on security vulnerabilities in flink
> ---------------------------------------------
>
>                 Key: FLINK-19195
>                 URL: https://issues.apache.org/jira/browse/FLINK-19195
>             Project: Flink
>          Issue Type: Bug
>          Components: flink-docker
>    Affects Versions: docker-1.11.0.0
>            Reporter: Miguel Costa
>            Priority: Major
>              Labels: security
>             Fix For: 1.12.0
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> Hi All,
> Sorry if this is the wrong place but I was in github, website and other 
> places and I could not find what I was looking for.
> I'm starting to learn about flink and I'm using this image for some of my 
> explorations:
> docker pull amd64/flink:1.11-scala_2.11-java11
>  
> I'm using it in our development cluster in my company and when generating my 
> image based on this I get some errors from the security report (from an 
> external provider) that prevent me from generating an image (it's something 
> on our side).
>  
> I just wanted to know if this is indeed an error and it could be fixed in the 
> future.
> This is what I got:
> CVE Package Version Severity Status CVSS
> — ------- ------- -------- ------ ----
> CVE-2019-20444 io.netty_netty-codec 4.1.34.Final critical fixed in 4.1.44 9.1
> CVE-2019-20445 io.netty_netty-codec 4.1.34.Final critical fixed in 4.1.44 9.1
> CVE-2020-11612 io.netty_netty-codec 4.1.34.Final critical fixed in 4.1.46 9.8
> CVE-2019-16869 io.netty_netty-codec 4.1.34.Final high fixed in 4.1.42.Final 
> 7.5
>  
> CVE-2019-20444 and CVE-2019-20445 in theory was fixed in FLINK-16961 but I 
> still see it in my report.
>  
> CVE-2020-11612 and CVE-2019-16869 I found it in FLINK-16356 but this one is 
> still open.
> So I was just wondering if maybe FLINK-16961 fixed only some of the 
> components but some others are still being used?
> If I searched in github I found this problematic versions in:
> flink-connector-cassandra (io.netty:netty-codec:4.1.44.Final)
> flink-connector-elasticsearch5 (io.netty:netty-codec:4.1.44.Final)
> flink-python - (io.netty:netty-codec:4.1.42.Final)
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to