Thanks Jim, appreciate the detailed response.
I dont allow my flink jobs to parse the schema per se. But my client
application does that. It parses the schema and generates the POJOs which are
then used in the Flink job.
So I must upgrade the Avro version in my client application and dont want
Hi Chirag,
How are you using Flink? Do you allow users to pass in arbitrary Avro
schemas to a Flink cluster?
If not, then I don't think the CVE applies to you. If so, then I'd imagine
that replacing the Avro 1.11.3 jar with the 1.11.4 may be a suitable
mitigation. The fix in Apache Flink only
Any view on this?
On Monday 28 October, 2024 at 04:16:17 pm IST, Chirag Dewan via user
wrote:
Hi,
There is a critical CVE on Apache Avro - NVD - CVE-2024-47561
Is there a released Flink version which has upgraded Avro to 1.11.4 or 1.12?
If not, is it safe to upgrade just AVRO, keepin
Hi,
There is a critical CVE on Apache Avro - NVD - CVE-2024-47561
Is there a released Flink version which has upgraded Avro to 1.11.4 or 1.12?
If not, is it safe to upgrade just AVRO, keeping flink-avro on 1.16.3 (my
current Flink version).
Appreciate any inputs.
Thanks,Chirag
|
|
|
| | |
