[ https://issues.apache.org/jira/browse/FLINK-22441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579116#comment-17579116 ]
Hongbo commented on FLINK-22441: -------------------------------- [~martijnvisser] How is it fixed in Flink 1.14? We can still see Netty 3.10.6 is used in the latest version: [https://github.com/apache/flink/blob/master/flink-rpc/flink-rpc-akka/pom.xml#L102] and it show up in the scan results: |etty Project|3.10.6.Final|BDSA-2018-4022|MEDIUM|4.7| |Netty Project|3.10.6.Final|BDSA-2019-2642|MEDIUM|6.5| |Netty Project|3.10.6.Final|BDSA-2019-2643|MEDIUM|6.7| |Netty Project|3.10.6.Final|BDSA-2019-2649|MEDIUM|6.5| |Netty Project|3.10.6.Final|BDSA-2019-2610|HIGH|7.2| |Netty Project|3.10.6.Final|CVE-2019-16869 (BDSA-2019-3119)|HIGH|7.5| |Netty Project|3.10.6.Final|BDSA-2020-0130|HIGH|8.8| |Netty Project|3.10.6.Final|CVE-2019-20444 (BDSA-2019-4231)|CRITICAL|9.1| |Netty Project|3.10.6.Final|CVE-2019-20445 (BDSA-2019-4230)|CRITICAL|9.1| |Netty Project|3.10.6.Final|BDSA-2020-0666|MEDIUM|6.5| |Netty Project|3.10.6.Final|CVE-2021-21290 (BDSA-2021-0311)|MEDIUM|5.5| |Netty Project|3.10.6.Final|CVE-2021-21295 (BDSA-2021-0589)|MEDIUM|5.9| |Netty Project|3.10.6.Final|CVE-2021-21409 (BDSA-2021-0828)|MEDIUM|5.9| |Netty Project|3.10.6.Final|CVE-2021-37136|HIGH|7.5| |Netty Project|3.10.6.Final|CVE-2021-37137|HIGH|7.5| |Netty Project|3.10.6.Final|CVE-2021-43797 (BDSA-2021-3741)|MEDIUM|6.5| > In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There > are many vulnerabilities, like CVE-2021-21409 etc. please confirm these > version and fix. thx > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: FLINK-22441 > URL: https://issues.apache.org/jira/browse/FLINK-22441 > Project: Flink > Issue Type: Bug > Components: Runtime / Coordination > Affects Versions: 1.11.3, 1.12.2, 1.13.0 > Reporter: 张健 > Priority: Not a Priority > Labels: auto-deprioritized-major, auto-deprioritized-minor > > In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There > are many vulnerabilities, like CVE-2021-21409 CVE-2021-21295 etc. please > confirm these version and fix. thx -- This message was sent by Atlassian Jira (v8.20.10#820010)