[jira] [Updated] (FLINK-39713) flink-kubernetes-operator: Bump log4j, jackson, and Beam to retire CVEs

Tue, 26 May 2026 03:28:26 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-39713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Purushottam Sinha updated FLINK-39713:
--------------------------------------
    Description: 
Problem
Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example) 
ship versions flagged by Trivy across operator and example modules. Bumping 
each to its latest stable within the same major retires ~50 of the report's 
findings without any transitive overrides.

Evidence
  - pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477, 
CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
  - pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
  - examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37 
example-only findings (kaml, okio, wire-runtime, kafka-clients, 
opentelemetry-api, parallel Netty)

CVE detail per advisory
  * [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]: CVSS 4.8 
Medium, fixed in log4j-core 2.25.3. log4j-core Socket Appender fails to 
validate TLS hostnames; MITM on log traffic.
  * [CVE-2026-34477|https://nvd.nist.gov/vuln/detail/CVE-2026-34477]: CVSS 5.9 
Medium, fixed in log4j-core 2.25.4. {{verifyHostName}} silently ignored for 
SMTP/Socket/Syslog TLS connections.
  * [CVE-2026-34478|https://nvd.nist.gov/vuln/detail/CVE-2026-34478]: CVSS 7.5 
High, fixed in log4j-core 2.25.4. CRLF log injection via {{Rfc5424Layout}} 
after undocumented attribute renames.
  * [CVE-2026-34479|https://nvd.nist.gov/vuln/detail/CVE-2026-34479]: CVSS 7.5 
High, fixed in log4j-1.2-api 2.25.4. {{Log4j1XmlLayout}} doesn't escape XML 
1.0-forbidden chars; downstream-log DoS.
  * [CVE-2026-34480|https://nvd.nist.gov/vuln/detail/CVE-2026-34480]: CVSS 7.5 
High, fixed in log4j-core 2.25.4. {{XmlLayout}} doesn't sanitize XML 
1.0-forbidden chars; downstream-log DoS.
  * [GHSA-72hv-8253-57qq|https://github.com/advisories/GHSA-72hv-8253-57qq]: 
CVSS v4 6.9 Moderate (NVD has not issued v3), fixed in jackson-core 2.18.6 / 
2.21.1. Async parser bypasses {{maxNumberLength}};
  memory/CPU exhaustion via long numbers.

Proposed fix
  - pom.xml:90: log4j.version 2.23.1 → 2.25.4
  - pom.xml:128: jackson-bom 2.15.0 → 2.21.3
  - examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0

Acceptance
  - ./mvnw verify passes
  - trivy fs --scanners vuln . shows the listed CVEs cleared

  was:
Problem
Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example) 
ship versions flagged by Trivy across operator and example modules. Bumping 
each to its latest stable within the same major retires ~50 of the report's 
findings without any transitive overrides.

Evidence
  - pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477, 
CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
  - pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
  - examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37 
example-only findings (kaml, okio, wire-runtime, kafka-clients, 
opentelemetry-api, parallel Netty)

  * [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]: CVSS 4.8 
Medium, fixed in log4j-core 2.25.3. log4j-core Socket Appender fails to 
validate TLS hostnames; MITM on log traffic.
  * [CVE-2026-34477|https://nvd.nist.gov/vuln/detail/CVE-2026-34477]: CVSS 5.9 
Medium, fixed in log4j-core 2.25.4. {{verifyHostName}} silently ignored for 
SMTP/Socket/Syslog TLS connections.
  * [CVE-2026-34478|https://nvd.nist.gov/vuln/detail/CVE-2026-34478]: CVSS 7.5 
High, fixed in log4j-core 2.25.4. CRLF log injection via {{Rfc5424Layout}} 
after undocumented attribute renames.
  * [CVE-2026-34479|https://nvd.nist.gov/vuln/detail/CVE-2026-34479]: CVSS 7.5 
High, fixed in log4j-1.2-api 2.25.4. {{Log4j1XmlLayout}} doesn't escape XML 
1.0-forbidden chars; downstream-log DoS.
  * [CVE-2026-34480|https://nvd.nist.gov/vuln/detail/CVE-2026-34480]: CVSS 7.5 
High, fixed in log4j-core 2.25.4. {{XmlLayout}} doesn't sanitize XML 
1.0-forbidden chars; downstream-log DoS.
  * [GHSA-72hv-8253-57qq|https://github.com/advisories/GHSA-72hv-8253-57qq]: 
CVSS v4 6.9 Moderate (NVD has not issued v3), fixed in jackson-core 2.18.6 / 
2.21.1. Async parser bypasses {{maxNumberLength}};
  memory/CPU exhaustion via long numbers.

Proposed fix
  - pom.xml:90: log4j.version 2.23.1 → 2.25.4
  - pom.xml:128: jackson-bom 2.15.0 → 2.21.3
  - examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0

Acceptance
  - ./mvnw verify passes
  - trivy fs --scanners vuln . shows the listed CVEs cleared


> flink-kubernetes-operator: Bump log4j, jackson, and Beam to retire CVEs
> -----------------------------------------------------------------------
>
>                 Key: FLINK-39713
>                 URL: https://issues.apache.org/jira/browse/FLINK-39713
>             Project: Flink
>          Issue Type: Technical Debt
>          Components: Kubernetes Operator
>            Reporter: Purushottam Sinha
>            Priority: Minor
>              Labels: pull-request-available
>
> Problem
> Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example) 
> ship versions flagged by Trivy across operator and example modules. Bumping 
> each to its latest stable within the same major retires ~50 of the report's 
> findings without any transitive overrides.
> Evidence
>   - pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477, 
> CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
>   - pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
>   - examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37 
> example-only findings (kaml, okio, wire-runtime, kafka-clients, 
> opentelemetry-api, parallel Netty)
> CVE detail per advisory
>   * [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]: CVSS 
> 4.8 Medium, fixed in log4j-core 2.25.3. log4j-core Socket Appender fails to 
> validate TLS hostnames; MITM on log traffic.
>   * [CVE-2026-34477|https://nvd.nist.gov/vuln/detail/CVE-2026-34477]: CVSS 
> 5.9 Medium, fixed in log4j-core 2.25.4. {{verifyHostName}} silently ignored 
> for SMTP/Socket/Syslog TLS connections.
>   * [CVE-2026-34478|https://nvd.nist.gov/vuln/detail/CVE-2026-34478]: CVSS 
> 7.5 High, fixed in log4j-core 2.25.4. CRLF log injection via 
> {{Rfc5424Layout}} after undocumented attribute renames.
>   * [CVE-2026-34479|https://nvd.nist.gov/vuln/detail/CVE-2026-34479]: CVSS 
> 7.5 High, fixed in log4j-1.2-api 2.25.4. {{Log4j1XmlLayout}} doesn't escape 
> XML 1.0-forbidden chars; downstream-log DoS.
>   * [CVE-2026-34480|https://nvd.nist.gov/vuln/detail/CVE-2026-34480]: CVSS 
> 7.5 High, fixed in log4j-core 2.25.4. {{XmlLayout}} doesn't sanitize XML 
> 1.0-forbidden chars; downstream-log DoS.
>   * [GHSA-72hv-8253-57qq|https://github.com/advisories/GHSA-72hv-8253-57qq]: 
> CVSS v4 6.9 Moderate (NVD has not issued v3), fixed in jackson-core 2.18.6 / 
> 2.21.1. Async parser bypasses {{maxNumberLength}};
>   memory/CPU exhaustion via long numbers.
> Proposed fix
>   - pom.xml:90: log4j.version 2.23.1 → 2.25.4
>   - pom.xml:128: jackson-bom 2.15.0 → 2.21.3
>   - examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0
> Acceptance
>   - ./mvnw verify passes
>   - trivy fs --scanners vuln . shows the listed CVEs cleared



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to