Thanks Jim, appreciate the detailed response.
I dont allow my flink jobs to parse the schema per se. But my client
application does that. It parses the schema and generates the POJOs which are
then used in the Flink job.
So I must upgrade the Avro version in my client application and dont want a
situation where classes are generated on a different version and are serialized
and deserialized using different versions (although reading the RNs for Avro
from 1.11.1 to 1.11.4 suggests that should not be a problem too).
Thanks,Chirag
On Thursday 31 October, 2024 at 08:35:17 am IST, Jim Hughes
<jhug...@confluent.io> wrote:
Hi Chirag,
How are you using Flink? Do you allow users to pass in arbitrary Avro schemas
to a Flink cluster?
If not, then I don't think the CVE applies to you. If so, then I'd imagine
that replacing the Avro 1.11.3 jar with the 1.11.4 may be a suitable
mitigation. The fix in Apache Flink only changed the versions:
https://github.com/apache/flink/commit/411c788cc25581be9801ba0980c3e4957c33bc80
The CVE description reads:
"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions
allows bad actors to execute arbitrary code. Users are recommended to upgrade
to version 1.11.4 or 1.12.0, which fix this issue."
Cheers,
Jim
On Wed, Oct 30, 2024 at 1:26 AM Chirag Dewan via user <user@flink.apache.org>
wrote:
Any view on this?
On Monday 28 October, 2024 at 04:16:17 pm IST, Chirag Dewan via user
<user@flink.apache.org> wrote:
Hi,
There is a critical CVE on Apache Avro - NVD - CVE-2024-47561
Is there a released Flink version which has upgraded Avro to 1.11.4 or 1.12?
If not, is it safe to upgrade just AVRO, keeping flink-avro on 1.16.3 (my
current Flink version).
Appreciate any inputs.
Thanks,Chirag
|
|
|
| | |
|
|
|
| |
NVD - CVE-2024-47561
|
|
|
