Hi Chirag, How are you using Flink? Do you allow users to pass in arbitrary Avro schemas to a Flink cluster?
If not, then I don't think the CVE applies to you. If so, then I'd imagine that replacing the Avro 1.11.3 jar with the 1.11.4 may be a suitable mitigation. The fix in Apache Flink only changed the versions: https://github.com/apache/flink/commit/411c788cc25581be9801ba0980c3e4957c33bc80 The CVE description reads: "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue." Cheers, Jim On Wed, Oct 30, 2024 at 1:26 AM Chirag Dewan via user <user@flink.apache.org> wrote: > Any view on this? > > > On Monday 28 October, 2024 at 04:16:17 pm IST, Chirag Dewan via user < > user@flink.apache.org> wrote: > > > Hi, > > There is a critical CVE on Apache Avro - NVD - CVE-2024-47561 > <https://nvd.nist.gov/vuln/detail/CVE-2024-47561> > > Is there a released Flink version which has upgraded Avro to 1.11.4 or > 1.12? > > If not, is it safe to upgrade just AVRO, keeping flink-avro on 1.16.3 (my > current Flink version). > > Appreciate any inputs. > > Thanks, > Chirag > > NVD - CVE-2024-47561 > > <https://nvd.nist.gov/vuln/detail/CVE-2024-47561> > > >
