Hi Hong, We were facing exactly the same guava issues and after analyzing those CVEs, we got the same conclusion as what Chesnay mentioned.
Best regards, Jing On Fri, Feb 2, 2024 at 10:18 AM Chesnay Schepler <ches...@apache.org> wrote: > Guava CVEs don't apply because it's all about using it's createTempDir > method which we don't use. > > Zookeeper CVE doesn't really apply because it's a server-side issue. > > On 02/02/2024 09:42, Martijn Visser wrote: > > To add to this: we can't upgrade to flink-shaded 18.0, since we've just > > reverted that for Flink 1.19 because of the performance regression. We > will > > need a new flink-shaded version to deal with these performance > regressions. > > > > On Fri, Feb 2, 2024 at 9:39 AM Martijn Visser <martijnvis...@apache.org> > > wrote: > > > >> Hi Hong, > >> > >> I do have objections: upgrading Flink-Shaded in a patch version is > >> something that we should not take lightly, since it involves components > >> that are used in the core functionality of Flink. We've seen in the past > >> that changes in Flink Shaded have an impact on stability and > performance. I > >> would like to see how Flink is affected by these CVEs, since in almost > all > >> cases these are false-positives for Flink. > >> > >> Best regards, > >> > >> Martijn > >> > >> On Thu, Feb 1, 2024 at 4:22 PM Hong Liang <h...@apache.org> wrote: > >> > >>> Hi all, > >>> > >>> Recently, we detected some active CVEs on the flink-shaded-guava and > >>> flink-shaded-zookeeper package used in Flink 1.18. Since Flink 1.18 is > >>> still in support for security fixes, we should consider fixing this. > >>> However, since the vulnerable package is coming from flink-shaded, I > >>> wanted > >>> to check if there are thoughts from the community around releasing a > patch > >>> version of flink-shaded. > >>> > >>> Problem: > >>> Flink 1.18 uses guava 31.1-jre from flink-shaded-guava 17.0, which is > >>> affected by CVE-2023-2976 (HIGH) [1] and CVE-2020-8908 (LOW) [2]. Flink > >>> 1.18 also uses zookeeper 3.7.1, which is affected by CVE-2023-44981 > >>> (CRITICAL) [3]. > >>> > >>> To fix, I can think of two options: > >>> Option 1: > >>> Upgrade Flink 1.18 to use flink.shaded.version 18.0. This is easiest > as we > >>> can backport the change for Flink 1.19 directly (after the performance > >>> regression is addressed) [4]. However, there are also upgrades to > jackson, > >>> asm and netty in flink.shaded.version 1.18. > >>> > >>> Option 2: > >>> Release flink.shaded.version 17.1, with just a bump in zookeeper and > guava > >>> versions. Then, upgrade Flink 1.18 to use this new flink.shaded.version > >>> 17.1. This is harder, but keeps the changes contained and minimal. > >>> > >>> Given the version bump is on flink-shaded, which is relocated to keep > the > >>> usage of libraries contained within the flink runtime itself, I am > >>> inclined > >>> to go with Option 1, even though the change is slightly larger than > just > >>> the security fixes. > >>> > >>> Do people have any objections? > >>> > >>> > >>> Regards, > >>> Hong > >>> > >>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-2976 > >>> [2] https://nvd.nist.gov/vuln/detail/CVE-2020-8908 > >>> [3] https://nvd.nist.gov/vuln/detail/CVE-2023-44981 > >>> [4] https://issues.apache.org/jira/browse/FLINK-33705 > >>> > >
