Thanks Jim, appreciate the detailed response. I dont allow my flink jobs to parse the schema per se. But my client application does that. It parses the schema and generates the POJOs which are then used in the Flink job. So I must upgrade the Avro version in my client application and dont want a situation where classes are generated on a different version and are serialized and deserialized using different versions (although reading the RNs for Avro from 1.11.1 to 1.11.4 suggests that should not be a problem too). Thanks,Chirag On Thursday 31 October, 2024 at 08:35:17 am IST, Jim Hughes <jhug...@confluent.io> wrote: Hi Chirag, How are you using Flink? Do you allow users to pass in arbitrary Avro schemas to a Flink cluster?
If not, then I don't think the CVE applies to you. If so, then I'd imagine that replacing the Avro 1.11.3 jar with the 1.11.4 may be a suitable mitigation. The fix in Apache Flink only changed the versions: https://github.com/apache/flink/commit/411c788cc25581be9801ba0980c3e4957c33bc80 The CVE description reads: "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue." Cheers, Jim On Wed, Oct 30, 2024 at 1:26 AM Chirag Dewan via user <user@flink.apache.org> wrote: Any view on this? On Monday 28 October, 2024 at 04:16:17 pm IST, Chirag Dewan via user <user@flink.apache.org> wrote: Hi, There is a critical CVE on Apache Avro - NVD - CVE-2024-47561 Is there a released Flink version which has upgraded Avro to 1.11.4 or 1.12? If not, is it safe to upgrade just AVRO, keeping flink-avro on 1.16.3 (my current Flink version). Appreciate any inputs. Thanks,Chirag | | | | | | | | | | | NVD - CVE-2024-47561 | | |