Hi all, Recently, we detected some active CVEs on the flink-shaded-guava and flink-shaded-zookeeper package used in Flink 1.18. Since Flink 1.18 is still in support for security fixes, we should consider fixing this. However, since the vulnerable package is coming from flink-shaded, I wanted to check if there are thoughts from the community around releasing a patch version of flink-shaded.
Problem: Flink 1.18 uses guava 31.1-jre from flink-shaded-guava 17.0, which is affected by CVE-2023-2976 (HIGH) [1] and CVE-2020-8908 (LOW) [2]. Flink 1.18 also uses zookeeper 3.7.1, which is affected by CVE-2023-44981 (CRITICAL) [3]. To fix, I can think of two options: Option 1: Upgrade Flink 1.18 to use flink.shaded.version 18.0. This is easiest as we can backport the change for Flink 1.19 directly (after the performance regression is addressed) [4]. However, there are also upgrades to jackson, asm and netty in flink.shaded.version 1.18. Option 2: Release flink.shaded.version 17.1, with just a bump in zookeeper and guava versions. Then, upgrade Flink 1.18 to use this new flink.shaded.version 17.1. This is harder, but keeps the changes contained and minimal. Given the version bump is on flink-shaded, which is relocated to keep the usage of libraries contained within the flink runtime itself, I am inclined to go with Option 1, even though the change is slightly larger than just the security fixes. Do people have any objections? Regards, Hong [1] https://nvd.nist.gov/vuln/detail/CVE-2023-2976 [2] https://nvd.nist.gov/vuln/detail/CVE-2020-8908 [3] https://nvd.nist.gov/vuln/detail/CVE-2023-44981 [4] https://issues.apache.org/jira/browse/FLINK-33705
