Thanks Jim, appreciate the detailed response.
I dont allow my flink jobs to parse the schema per se. But my client 
application does that. It parses the schema and generates the POJOs which are 
then used in the Flink job. 
So I must upgrade the Avro version in my client application and dont want a 
situation where classes are generated on a different version and are serialized 
and deserialized using different versions (although reading the RNs for Avro 
from 1.11.1 to 1.11.4 suggests that should not be a problem too). 
Thanks,Chirag
    On Thursday 31 October, 2024 at 08:35:17 am IST, Jim Hughes 
<jhug...@confluent.io> wrote:  
 
 Hi Chirag,
How are you using Flink?  Do you allow users to pass in arbitrary Avro schemas 
to a Flink cluster?  

If not, then I don't think the CVE applies to you.  If so, then I'd imagine 
that replacing the Avro 1.11.3 jar with the 1.11.4 may be a suitable 
mitigation.  The fix in Apache Flink only changed the versions: 
https://github.com/apache/flink/commit/411c788cc25581be9801ba0980c3e4957c33bc80

The CVE description reads:

"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions 
allows bad actors to execute arbitrary code. Users are recommended to upgrade 
to version 1.11.4  or 1.12.0, which fix this issue."
Cheers,
Jim
On Wed, Oct 30, 2024 at 1:26 AM Chirag Dewan via user <user@flink.apache.org> 
wrote:

 Any view on this? 

    On Monday 28 October, 2024 at 04:16:17 pm IST, Chirag Dewan via user 
<user@flink.apache.org> wrote:  
 
 Hi,
There is a critical CVE on Apache Avro - NVD - CVE-2024-47561

Is there a released Flink version which has upgraded Avro to 1.11.4 or 1.12?
If not, is it safe to upgrade just AVRO, keeping flink-avro on 1.16.3 (my 
current Flink version).

Appreciate any inputs. 
Thanks,Chirag

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
NVD - CVE-2024-47561


 |

 |

 |



  
  

Reply via email to