[ 
https://issues.apache.org/jira/browse/FLINK-27654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539854#comment-17539854
 ] 

James Busche edited comment on FLINK-27654 at 5/20/22 12:01 AM:
----------------------------------------------------------------

Thanks [~wangyang0918] 

It looks like the kubernetes client version 
[5.5.0|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#550-2021-06-30]
 is pretty old.
[5.12.2|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#5122-2022-04-06]
 is the latest v5 client version...  I can try putting a PR in the upstream 
flink repo, but I'm not sure how to test it to ensure I'm not breaking 
something there.  I'd feel badly if I ended up unintentionally breaking both 
products, and not certain that the 5.12.2 version will update the 
jackson-databind in the end anyway.

Any suggestions on the best way to proceed? I'm happy to try!

 


was (Author: JIRAUSER287279):
Thanks [~wangyang0918] 

It looks like the kubernetes client version 
[5.5.0|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#550-2021-06-30]
 is pretty old.
[5.12.2|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#5122-2022-04-06]
 is the latest v5 client version...  I can try putting a PR in the upstream 
flink repo, but I'm not sure how to test it to ensure I'm not breaking 
something there.  I'd feel badly if I ended up unintentionally breaking both 
products, and not certain that the 5.12.2 version will update the 
jackson-databind in the end anyway.

Any suggestions on the best way to proceed? I'm happy to attempt try!

 

> Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar
> -------------------------------------------------------------------------
>
>                 Key: FLINK-27654
>                 URL: https://issues.apache.org/jira/browse/FLINK-27654
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-0.1.0
>            Reporter: James Busche
>            Priority: Major
>             Fix For: kubernetes-operator-1.0.0
>
>
> A twistlock security scan of the latest kubernetes flink operator is showing 
> an older version of jackson-databind in the 
> /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file.  I don't know how to 
> control/update the contents of this snapshot file.  
> I see this in the report (Otherwise, everything else looks good!):
> ======
> severity: High
> cvss: 7.5 
> riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High 
> severity
> cve: CVE-2020-36518
> Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]
> packageName: com.fasterxml.jackson.core_jackson-databind
> packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar
> description: jackson-databind before 2.13.0 allows a Java StackOverflow 
> exception and denial of service via a large depth of nested objects.
> =====
> I'd be glad to try to fix it, I'm just not sure how the jackson-databind 
> versions are controlled in this 
> /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to