Purushottam Sinha created FLINK-39580: -----------------------------------------
Summary: Bump Flink-controlled Java dependencies to resolve CVEs
(log4j, jackson, assertj, netty)
Key: FLINK-39580
URL: https://issues.apache.org/jira/browse/FLINK-39580
Project: Flink
Issue Type: Improvement
Reporter: Purushottam Sinha
Description:
Several Flink-controlled Java dependencies in the root pom.xml have known
CVEs requiring updates:
- log4j-core 2.25.3 contains CVE-2026-34477, CVE-2026-34478, CVE-2026-34480
- jackson-bom 2.20.1 (jackson-core transitive) contains GHSA-72hv-8253-57qq
- assertj-core 3.27.3 (test scope) contains CVE-2026-24400
- netty-bom 4.2.6.Final (covers netty-codec-http, netty-codec-http2,
netty-codec-smtp, etc.) contains CVE-2025-59419, CVE-2025-67735,
CVE-2026-33870, CVE-2026-33871
Proposed updates:
- Upgrade log4j to 2.25.4
- Upgrade jackson-bom to 2.21.1 (non-shaded Jackson uses;
flink-shaded-jackson requires a separate upstream release in
apache/flink-shaded, tracked separately)
- Upgrade assertj-core to 3.27.7
- Upgrade netty-bom to 4.2.11.Final
Out of scope:
CVEs that come in via Hadoop / kubernetes-client / kafka-clients transitives.
Predecessor: https://issues.apache.org/jira/browse/FLINK-39060
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
