log4j - If you don't use a Socket appender, you're good. Otherwise, you
can replace the log4j jars in lib/ with a newer version. You could also
upgrade to 1.11.1 which uses log4j2.
guava - We do not use Guava for serialization AFAIK. We also do not use
Java serialization for records.
commons
Hello,
We are using Apache Flink 1.10.1 version. During our security scans following
issues are reported by our scan tool.
Please let us know your comments on these dependency vulnerabilities.
Thanks,
Suchithra
-Original Message-
From: m...@gsuite.cloud.apache.org On Behalf Of
Apache
