[jira] [Commented] (FLINK-24736) Non vulenerable jar files for Apache Flink 1.14.4

Tue, 01 Aug 2023 08:07:37 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-24736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17749887#comment-17749887
 ] 

LEONID ILYEVSKY commented on FLINK-24736:
-----------------------------------------

Half a year later, in 1.18-SNAPSHOT, it is still the same problem. I looked 
into the root cause of it, which obviously is the old versions of the netty 
dependencies.

Here is a list of detected vulnerabilities:

[NVD - CVE-2019-20444 
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2019-20444]

[NVD - CVE-2019-20445 
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2019-20445]

[NVD - CVE-2019-16869 
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2019-16869]

[NVD - CVE-2021-43797 
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-43797]

 

Across various subprojects, I found the following versions of netty used:



2.0.59.Final

4.1.46.Final

4.1.91.Final

4.1.70.Final

3.10.6.Final 

 

This has to be uniformly updated, in order to eliminate vulnerabilities and 
allow using the libraries behind corporate firewalls. 

At this moment last stable netty version is 4.1.96.Final. 

Can this issue be assigned to somebody?

> Non vulenerable jar files for Apache Flink 1.14.4
> -------------------------------------------------
>
>                 Key: FLINK-24736
>                 URL: https://issues.apache.org/jira/browse/FLINK-24736
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Parag Somani
>            Priority: Major
>
> Hello,
> We are using Apache flink 1.14.4 as one of base image in our production. Due 
> to recent upgrade, we have many container security defects. 
> I am using "flink-1.14.4-bin-scala_2.12"in our k8s env.
> Please assist with Flink version having non-vulnerable libraries. List of 
> vulnerable libs are as follows: 
> [7.5] [CVE-2019-16869] [flink-rpc-akka-loader] [1.14.4]       
> [9.1] [CVE-2019-20444] [flink-rpc-akka-loader] [1.14.4]       
> [9.1] [CVE-2019-20445] [flink-rpc-akka-loader] [1.14.4]       
> [7.5] [sonatype-2019-0115] [flink-rpc-akka-loader] [1.14.4]
> [7.5] [sonatype-2020-0029] [flink-rpc-akka-loader] [1.14.4]
> [7.5] [CVE-2019-16869] [flink-rpc-akka] [1.14.4]              
> [9.1] [CVE-2019-20444] [flink-rpc-akka] [1.14.4]              
> [9.1] [CVE-2019-20445] [flink-rpc-akka] [1.14.4]              
> [7.5] [sonatype-2019-0115] [flink-rpc-akka] [1.14.4]  
> [7.5] [sonatype-2020-0029] [flink-rpc-akka] [1.14.4]  
> Can you assist with this ?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to