[jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx

Fri, 12 Aug 2022 12:41:06 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-22441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579116#comment-17579116
 ] 

Hongbo commented on FLINK-22441:
--------------------------------

[~martijnvisser]  How is it fixed in Flink 1.14? We can still see Netty 3.10.6 
is used in the latest version: 
[https://github.com/apache/flink/blob/master/flink-rpc/flink-rpc-akka/pom.xml#L102]
 and it show up in the scan results:

 
|etty Project|3.10.6.Final|BDSA-2018-4022|MEDIUM|4.7|
|Netty Project|3.10.6.Final|BDSA-2019-2642|MEDIUM|6.5|
|Netty Project|3.10.6.Final|BDSA-2019-2643|MEDIUM|6.7|
|Netty Project|3.10.6.Final|BDSA-2019-2649|MEDIUM|6.5|
|Netty Project|3.10.6.Final|BDSA-2019-2610|HIGH|7.2|
|Netty Project|3.10.6.Final|CVE-2019-16869 (BDSA-2019-3119)|HIGH|7.5|
|Netty Project|3.10.6.Final|BDSA-2020-0130|HIGH|8.8|
|Netty Project|3.10.6.Final|CVE-2019-20444 (BDSA-2019-4231)|CRITICAL|9.1|
|Netty Project|3.10.6.Final|CVE-2019-20445 (BDSA-2019-4230)|CRITICAL|9.1|
|Netty Project|3.10.6.Final|BDSA-2020-0666|MEDIUM|6.5|
|Netty Project|3.10.6.Final|CVE-2021-21290 (BDSA-2021-0311)|MEDIUM|5.5|
|Netty Project|3.10.6.Final|CVE-2021-21295 (BDSA-2021-0589)|MEDIUM|5.9|
|Netty Project|3.10.6.Final|CVE-2021-21409 (BDSA-2021-0828)|MEDIUM|5.9|
|Netty Project|3.10.6.Final|CVE-2021-37136|HIGH|7.5|
|Netty Project|3.10.6.Final|CVE-2021-37137|HIGH|7.5|
|Netty Project|3.10.6.Final|CVE-2021-43797 (BDSA-2021-3741)|MEDIUM|6.5|

> In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There 
> are many vulnerabilities, like CVE-2021-21409 etc. please confirm these 
> version and fix. thx
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: FLINK-22441
>                 URL: https://issues.apache.org/jira/browse/FLINK-22441
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / Coordination
>    Affects Versions: 1.11.3, 1.12.2, 1.13.0
>            Reporter: 张健
>            Priority: Not a Priority
>              Labels: auto-deprioritized-major, auto-deprioritized-minor
>
> In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There 
> are many vulnerabilities, like CVE-2021-21409 CVE-2021-21295 etc. please 
> confirm these version and fix. thx



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to