Hi Vidya Sagar, Thanks for bringing this up.
The RocksDB state backend defaults to Snappy[1]. If the compression option is not specifically configured, this vulnerability of ZLIB has no effect on the Flink application for the time being. *> is there any plan in the coming days to address this? * The FRocksDB 6.20.3-ververica-1.0 <https://mvnrepository.com/artifact/com.ververica/frocksdbjni/6.20.3-ververica-1.0> does depend on ZLIB 1.2.11, FLINK-30321 is created to address this. *> If this needs to be fixed, is there any plan from Ververica to address this vulnerability?* Yes, we plan to publish a new version of FRocksDB[3] in Flink 1.17, and FLINK-30321 would be included in the new release. *> how to address this vulnerability issue as this is coming as a high severity blocking issue to our product.* As a kind of mitigation, don't configure ZLIB compression for RocksDB state backend. If ZLIB must be used now and your product can't wait, maybe you can refer to this release document[4] to release your own version. [1] https://github.com/facebook/rocksdb/wiki/Compression [2] https://issues.apache.org/jira/browse/FLINK-30321 [3] https://cwiki.apache.org/confluence/display/FLINK/1.17+Release [4] https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/FROCKSDB-RELEASE.md -- Best, Yanfei Ververica (Alibaba) Vidya Sagar Mula <mulasa...@gmail.com> 于2022年12月7日周三 06:47写道: > Hi, > > There is a ZLIB vulnerability reported by the official National > Vulnerability Database. This vulnerability causes memory corruption while > deflating with ZLIB version less than 1.2.12. > Here is the link for details... > > https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle > > *How is it linked to Flink?: * > In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used as > part of the .so file. Hence, there is vulnerability exposure here. > > *Flink code details/links:* > I am seeing the latest Flink code base where the statebackend rocksdb > library *(frocksdbjni)* is coming from Ververica. The pom.xml dependency > snapshot is here > > > https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml > > <dependency> > > <groupId>com.ververica</groupId> > > <artifactId>frocksdbjni</artifactId> > > <version>6.20.3-ververica-1.0</version> > > </dependency> > > > When I see the frocksdbjni code base, the makefile is pointing to > ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD. > > https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile > > *Questions:* > > - This vulnerability is marked as HIGH severity. How is it addressed at > the Flink/Flink Stateback RocksDb? If not now, is there any plan in the > coming days to address this? > > - As the Statebackend RocksDb is coming from Ververica, I am not seeing > any latest artifacts published from them. As per the Maven Repository, the > latest version is 6.20.3-ververica-1.0 > <https://mvnrepository.com/artifact/com.ververica/frocksdbjni/6.20.3-ververica-1.0> > and > this is the one used in the Flink code base. > > https://mvnrepository.com/artifact/com.ververica/frocksdbjni > > If this needs to be fixed, is there any plan from Ververica to address > this vulnerability? > > - From the Flink user perspective, it is not simple to make the changes to > .so file locally. How are the Flink user companies addressing this > vulnerability as it needs changes to the .SO file? > > Overall, my main question to the community is, how to address this > vulnerability issue as this is coming as a high severity blocking issue to > our product. > > Please provide the inputs/suggestions at the earliest. > > Thanks, > Vidya Sagar. > > > > >
