[jira] [Commented] (FLINK-29853) Older jackson-databind found in flink-kubernetes-operator-1.2.0-shaded.jar

Wed, 09 Nov 2022 14:10:31 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-29853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631313#comment-17631313
 ] 

James Busche commented on FLINK-29853:
--------------------------------------

OK, good news - 2.14.0 has GA'd and looks good.  Image scans clean (no fixable 
vulnerabilities) and the basic example works:
{quote}kubectl get pods

NAME                                         READY   STATUS    RESTARTS   AGE

basic-example-56876dc586-df769               1/1     Running   0          13m

basic-example-taskmanager-1-1                1/1     Running   0          13m

flink-kubernetes-operator-7d5c7b77f7-5wgb8   2/2     Running   0          14m
{quote}
I'll put a PR through, see how it looks...

> Older jackson-databind found in flink-kubernetes-operator-1.2.0-shaded.jar
> --------------------------------------------------------------------------
>
>                 Key: FLINK-29853
>                 URL: https://issues.apache.org/jira/browse/FLINK-29853
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-1.2.1
>            Reporter: James Busche
>            Priority: Major
>
> A Twistlock security scan of the existing 1.2.0 operator as well as the 
> current main release shows a high vulnerability with the current 
> jackson-databind version.
> ======
> severity: High
> cvss: 7.5
> riskFactors:  Attack complexity: low,Attack vector: network,Has fix,High 
> severity,Recent vulnerability
> CVE link: [https://nvd.nist.gov/vuln/detail/CVE-2022-42003]
> packageName: com.fasterxml.jackson.core_jackson-databind
> packagePath: 
> /flink-kubernetes-operator/flink-kubernetes-operator-1.2.0-shaded.jar and/or 
> /flink-kubernetes-operator/flink-kubernetes-operator-1.3-SNAPSHOT-shaded.jar
> description: In FasterXML jackson-databind before 2.14.0-rc1, resource 
> exhaustion can occur because of a lack of a check in primitive value 
> deserializers to avoid deep wrapper array nesting, when the 
> UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 
> 2.13.4.1 and 2.12.17.1
> ====
> This is exactly like the older issue 
> https://issues.apache.org/jira/browse/FLINK-27654 
> I'm going to see if I can fix it myself and create a PR if I'm successful.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to