[
https://issues.apache.org/jira/browse/FLINK-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539097#comment-17539097
]
Himanshu Shah commented on FLINK-3154:
--------------------------------------
An open vulnerability due to no class whitelisting in versions prior to kryo
5.0.0 is flagged up a a security risk for flink.
[https://github.com/EsotericSoftware/kryo/issues/398]
Is there a plan to upgrade to a newer version of kryo to remediate?
> Update Kryo version from 2.24.0 to 5.2.0
> ----------------------------------------
>
> Key: FLINK-3154
> URL: https://issues.apache.org/jira/browse/FLINK-3154
> Project: Flink
> Issue Type: Improvement
> Components: API / Type Serialization System
> Affects Versions: 1.0.0
> Reporter: Maximilian Michels
> Priority: Not a Priority
>
> Flink's Kryo version is outdated and could be updated to a newer version,
> e.g. kryo-3.0.3.
> From ML: we cannot bumping the Kryo version easily - the serialization format
> changed (that's why they have a new major version), which would render all
> Flink savepoints and checkpoints incompatible.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
