[ https://issues.apache.org/jira/browse/FLINK-27654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539854#comment-17539854 ]
James Busche edited comment on FLINK-27654 at 5/20/22 12:01 AM: ---------------------------------------------------------------- Thanks [~wangyang0918] It looks like the kubernetes client version [5.5.0|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#550-2021-06-30] is pretty old. [5.12.2|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#5122-2022-04-06] is the latest v5 client version... I can try putting a PR in the upstream flink repo, but I'm not sure how to test it to ensure I'm not breaking something there. I'd feel badly if I ended up unintentionally breaking both products, and not certain that the 5.12.2 version will update the jackson-databind in the end anyway. Any suggestions on the best way to proceed? I'm happy to try! was (Author: JIRAUSER287279): Thanks [~wangyang0918] It looks like the kubernetes client version [5.5.0|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#550-2021-06-30] is pretty old. [5.12.2|https://github.com/fabric8io/kubernetes-client/blob/master/CHANGELOG.md#5122-2022-04-06] is the latest v5 client version... I can try putting a PR in the upstream flink repo, but I'm not sure how to test it to ensure I'm not breaking something there. I'd feel badly if I ended up unintentionally breaking both products, and not certain that the 5.12.2 version will update the jackson-databind in the end anyway. Any suggestions on the best way to proceed? I'm happy to attempt try! > Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar > ------------------------------------------------------------------------- > > Key: FLINK-27654 > URL: https://issues.apache.org/jira/browse/FLINK-27654 > Project: Flink > Issue Type: Bug > Components: Kubernetes Operator > Affects Versions: kubernetes-operator-0.1.0 > Reporter: James Busche > Priority: Major > Fix For: kubernetes-operator-1.0.0 > > > A twistlock security scan of the latest kubernetes flink operator is showing > an older version of jackson-databind in the > /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file. I don't know how to > control/update the contents of this snapshot file. > I see this in the report (Otherwise, everything else looks good!): > ====== > severity: High > cvss: 7.5 > riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High > severity > cve: CVE-2020-36518 > Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518] > packageName: com.fasterxml.jackson.core_jackson-databind > packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar > description: jackson-databind before 2.13.0 allows a Java StackOverflow > exception and denial of service via a large depth of nested objects. > ===== > I'd be glad to try to fix it, I'm just not sure how the jackson-databind > versions are controlled in this > /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar -- This message was sent by Atlassian Jira (v8.20.7#820007)