Re: ZLIB Vulnerability Exposure in Flink statebackend RocksDB

2022-12-12 Thread Yanfei Lei 
Hey Vidya Sagar,

*- Is the code actually using this compression library? Can this
vulnerability issue be ignored?*

I glanced at the LZ4 in Flink. IIUC, LZ4 is used to compress blocks in
batch table which was introduced by FLINK-11858[1], FLINK-23447[2] bumped
it to 1.8. So, LZ4 is actually used by some code.

*- * *would it be ok if we upgrade the version of LZ4 in our local cloned
code base?*

 I guess you can refer to FLINK-23447[2] to upgrade it. I am not familiar
with batch mode, AFAIK, flink-table-runtime[3] would definitely be affected.


[1] https://issues.apache.org/jira/browse/FLINK-11858
[2] https://issues.apache.org/jira/browse/FLINK-23447
[3]
https://github.com/apache/flink/blob/master/flink-table/flink-table-runtime/src/main/java/org/apache/flink/table/runtime/operators/sort/BinaryExternalSorter.java#L213

Martijn Visser  于2022年12月9日周五 18:23写道:

> Hi Vidya,
>
> Please keep in mind that the Flink project is driven by volunteers. If
> you're noticing an outdated version for the lz4 compression library and an
> update is required, it would be great if you can open the PR to update that
> dependency yourself.
>
> Best regards,
>
> Martijn
>
> On Thu, Dec 8, 2022 at 10:31 PM Vidya Sagar Mula 
> wrote:
>
>> Thank you Yanfei for taking this issue as a bug and planning a fix in the
>> upcoming version.
>>
>> I have another vulnerability bug coming on our product. It is related to
>> the "LZ4" compression library version. Can you please take a look at this
>> link?
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17543
>>
>> I have noticed that, Flink code base is using "*1.8.0> *.version>*". Vulnerability is present for the versions *before 1.9.2.*
>>
>> https://github.com/apache/flink/blob/master/pom.xml
>>
>> Can you please look into this issue also and address it in the coming
>> releases?
>>
>> Questions:
>> ---
>> - Is the code actually using this compression library? Can this
>> vulnerability issue be ignored?
>>
>> - Can you please let me know if this is going to be addressed. If yes,
>> until we move to the new Flink version to get the latest changes, would it
>> be ok if we upgrade the version of LZ4 in our local cloned code base? I
>> would like to understand the impact if we make changes in our local Flink
>> code with regards to testing efforts and any other affected modules?
>>
>> Can you please clarify this?
>>
>> Thanks,
>> Vidya Sagar.
>>
>>
>> On Wed, Dec 7, 2022 at 7:59 AM Yanfei Lei  wrote:
>>
>>> Hi Vidya Sagar,
>>>
>>> Thanks for bringing this up.
>>>
>>> The RocksDB state backend defaults to Snappy[1]. If the compression
>>> option is not specifically configured, this vulnerability of ZLIB has no
>>> effect on the Flink application for the time being.
>>>
>>> *> is there any plan in the coming days to address this? *
>>>
>>> The FRocksDB 6.20.3-ververica-1.0
>>> 
>>>   does
>>> depend on ZLIB 1.2.11, FLINK-30321 is created to address this.
>>>
>>> *> If this needs to be fixed, is there any plan from Ververica to
>>> address this vulnerability?*
>>>
>>> Yes, we plan to publish a new version of FRocksDB[3] in Flink 1.17, and 
>>> FLINK-30321
>>> would be included in the new release.
>>>
>>> *> how to address this vulnerability issue as this is coming as a high
>>> severity blocking issue to our product.*
>>>
>>> As a kind of mitigation, don't configure ZLIB compression for RocksDB
>>> state backend.
>>> If ZLIB must be used now and your product can't wait, maybe you can
>>> refer to this release document[4] to release your own version.
>>>
>>> [1] https://github.com/facebook/rocksdb/wiki/Compression
>>> [2] https://issues.apache.org/jira/browse/FLINK-30321
>>> [3] https://cwiki.apache.org/confluence/display/FLINK/1.17+Release
>>> [4]
>>> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/FROCKSDB-RELEASE.md
>>>
>>> --
>>> Best,
>>> Yanfei
>>> Ververica (Alibaba)
>>>
>>> Vidya Sagar Mula  于2022年12月7日周三 06:47写道:
>>>
 Hi,

 There is a ZLIB vulnerability reported by the official National
 Vulnerability Database. This vulnerability causes memory corruption while
 deflating with ZLIB version less than 1.2.12.
 Here is the link for details...


 https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle

 *How is it linked to Flink?: *
 In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used
 as part of the .so file. Hence, there is vulnerability exposure here.

 *Flink code details/links:*
 I am seeing the latest Flink code base where the statebackend rocksdb
 library *(frocksdbjni)* is coming from Ververica. The pom.xml
 dependency snapshot is here


 https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml

 

 com.ververica

 frocksdbjni

 6.20.3-ververica-1.0

 


 When I see the

Re: ZLIB Vulnerability Exposure in Flink statebackend RocksDB

2022-12-09 Thread Martijn Visser 
Hi Vidya,

Please keep in mind that the Flink project is driven by volunteers. If
you're noticing an outdated version for the lz4 compression library and an
update is required, it would be great if you can open the PR to update that
dependency yourself.

Best regards,

Martijn

On Thu, Dec 8, 2022 at 10:31 PM Vidya Sagar Mula 
wrote:

> Thank you Yanfei for taking this issue as a bug and planning a fix in the
> upcoming version.
>
> I have another vulnerability bug coming on our product. It is related to
> the "LZ4" compression library version. Can you please take a look at this
> link?
> https://nvd.nist.gov/vuln/detail/CVE-2019-17543
>
> I have noticed that, Flink code base is using "*1.8.0 *.version>*". Vulnerability is present for the versions *before 1.9.2.*
>
> https://github.com/apache/flink/blob/master/pom.xml
>
> Can you please look into this issue also and address it in the coming
> releases?
>
> Questions:
> ---
> - Is the code actually using this compression library? Can this
> vulnerability issue be ignored?
>
> - Can you please let me know if this is going to be addressed. If yes,
> until we move to the new Flink version to get the latest changes, would it
> be ok if we upgrade the version of LZ4 in our local cloned code base? I
> would like to understand the impact if we make changes in our local Flink
> code with regards to testing efforts and any other affected modules?
>
> Can you please clarify this?
>
> Thanks,
> Vidya Sagar.
>
>
> On Wed, Dec 7, 2022 at 7:59 AM Yanfei Lei  wrote:
>
>> Hi Vidya Sagar,
>>
>> Thanks for bringing this up.
>>
>> The RocksDB state backend defaults to Snappy[1]. If the compression
>> option is not specifically configured, this vulnerability of ZLIB has no
>> effect on the Flink application for the time being.
>>
>> *> is there any plan in the coming days to address this? *
>>
>> The FRocksDB 6.20.3-ververica-1.0
>> 
>>   does
>> depend on ZLIB 1.2.11, FLINK-30321 is created to address this.
>>
>> *> If this needs to be fixed, is there any plan from Ververica to address
>> this vulnerability?*
>>
>> Yes, we plan to publish a new version of FRocksDB[3] in Flink 1.17, and 
>> FLINK-30321
>> would be included in the new release.
>>
>> *> how to address this vulnerability issue as this is coming as a high
>> severity blocking issue to our product.*
>>
>> As a kind of mitigation, don't configure ZLIB compression for RocksDB
>> state backend.
>> If ZLIB must be used now and your product can't wait, maybe you can refer
>> to this release document[4] to release your own version.
>>
>> [1] https://github.com/facebook/rocksdb/wiki/Compression
>> [2] https://issues.apache.org/jira/browse/FLINK-30321
>> [3] https://cwiki.apache.org/confluence/display/FLINK/1.17+Release
>> [4]
>> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/FROCKSDB-RELEASE.md
>>
>> --
>> Best,
>> Yanfei
>> Ververica (Alibaba)
>>
>> Vidya Sagar Mula  于2022年12月7日周三 06:47写道:
>>
>>> Hi,
>>>
>>> There is a ZLIB vulnerability reported by the official National
>>> Vulnerability Database. This vulnerability causes memory corruption while
>>> deflating with ZLIB version less than 1.2.12.
>>> Here is the link for details...
>>>
>>>
>>> https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle
>>>
>>> *How is it linked to Flink?: *
>>> In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used
>>> as part of the .so file. Hence, there is vulnerability exposure here.
>>>
>>> *Flink code details/links:*
>>> I am seeing the latest Flink code base where the statebackend rocksdb
>>> library *(frocksdbjni)* is coming from Ververica. The pom.xml
>>> dependency snapshot is here
>>>
>>>
>>> https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml
>>>
>>> 
>>>
>>> com.ververica
>>>
>>> frocksdbjni
>>>
>>> 6.20.3-ververica-1.0
>>>
>>> 
>>>
>>>
>>> When I see the frocksdbjni code base, the makefile is pointing to
>>> ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD.
>>>
>>> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile
>>>
>>> *Questions:*
>>>
>>> - This vulnerability is marked as HIGH severity. How is it addressed at
>>> the Flink/Flink Stateback RocksDb? If not now, is there any plan in the
>>> coming days to address this?
>>>
>>> - As the Statebackend RocksDb is coming from Ververica, I am not seeing
>>> any latest artifacts published from them. As per the Maven Repository, the
>>> latest version is 6.20.3-ververica-1.0
>>> 
>>>  and
>>> this is the one used in the Flink code base.
>>>
>>> https://mvnrepository.com/artifact/com.ververica/frocksdbjni
>>>
>>> If this needs to be fixed, is there any plan from Ververica to address
>>> this vulnerability?
>>>
>>> - From the Flink user perspective, it is not simple to make the changes

Re: ZLIB Vulnerability Exposure in Flink statebackend RocksDB

2022-12-08 Thread Vidya Sagar Mula 
Thank you Yanfei for taking this issue as a bug and planning a fix in the
upcoming version.

I have another vulnerability bug coming on our product. It is related to
the "LZ4" compression library version. Can you please take a look at this
link?
https://nvd.nist.gov/vuln/detail/CVE-2019-17543

I have noticed that, Flink code base is using "*1.8.0*". Vulnerability is present for the versions *before 1.9.2.*

https://github.com/apache/flink/blob/master/pom.xml

Can you please look into this issue also and address it in the coming
releases?

Questions:
---
- Is the code actually using this compression library? Can this
vulnerability issue be ignored?

- Can you please let me know if this is going to be addressed. If yes,
until we move to the new Flink version to get the latest changes, would it
be ok if we upgrade the version of LZ4 in our local cloned code base? I
would like to understand the impact if we make changes in our local Flink
code with regards to testing efforts and any other affected modules?

Can you please clarify this?

Thanks,
Vidya Sagar.


On Wed, Dec 7, 2022 at 7:59 AM Yanfei Lei  wrote:

> Hi Vidya Sagar,
>
> Thanks for bringing this up.
>
> The RocksDB state backend defaults to Snappy[1]. If the compression option
> is not specifically configured, this vulnerability of ZLIB has no effect on
> the Flink application for the time being.
>
> *> is there any plan in the coming days to address this? *
>
> The FRocksDB 6.20.3-ververica-1.0
> 
>   does
> depend on ZLIB 1.2.11, FLINK-30321 is created to address this.
>
> *> If this needs to be fixed, is there any plan from Ververica to address
> this vulnerability?*
>
> Yes, we plan to publish a new version of FRocksDB[3] in Flink 1.17, and 
> FLINK-30321
> would be included in the new release.
>
> *> how to address this vulnerability issue as this is coming as a high
> severity blocking issue to our product.*
>
> As a kind of mitigation, don't configure ZLIB compression for RocksDB
> state backend.
> If ZLIB must be used now and your product can't wait, maybe you can refer
> to this release document[4] to release your own version.
>
> [1] https://github.com/facebook/rocksdb/wiki/Compression
> [2] https://issues.apache.org/jira/browse/FLINK-30321
> [3] https://cwiki.apache.org/confluence/display/FLINK/1.17+Release
> [4]
> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/FROCKSDB-RELEASE.md
>
> --
> Best,
> Yanfei
> Ververica (Alibaba)
>
> Vidya Sagar Mula  于2022年12月7日周三 06:47写道:
>
>> Hi,
>>
>> There is a ZLIB vulnerability reported by the official National
>> Vulnerability Database. This vulnerability causes memory corruption while
>> deflating with ZLIB version less than 1.2.12.
>> Here is the link for details...
>>
>>
>> https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle
>>
>> *How is it linked to Flink?: *
>> In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used
>> as part of the .so file. Hence, there is vulnerability exposure here.
>>
>> *Flink code details/links:*
>> I am seeing the latest Flink code base where the statebackend rocksdb
>> library *(frocksdbjni)* is coming from Ververica. The pom.xml dependency
>> snapshot is here
>>
>>
>> https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml
>>
>> 
>>
>> com.ververica
>>
>> frocksdbjni
>>
>> 6.20.3-ververica-1.0
>>
>> 
>>
>>
>> When I see the frocksdbjni code base, the makefile is pointing to
>> ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD.
>>
>> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile
>>
>> *Questions:*
>>
>> - This vulnerability is marked as HIGH severity. How is it addressed at
>> the Flink/Flink Stateback RocksDb? If not now, is there any plan in the
>> coming days to address this?
>>
>> - As the Statebackend RocksDb is coming from Ververica, I am not seeing
>> any latest artifacts published from them. As per the Maven Repository, the
>> latest version is 6.20.3-ververica-1.0
>> 
>>  and
>> this is the one used in the Flink code base.
>>
>> https://mvnrepository.com/artifact/com.ververica/frocksdbjni
>>
>> If this needs to be fixed, is there any plan from Ververica to address
>> this vulnerability?
>>
>> - From the Flink user perspective, it is not simple to make the changes
>> to .so file locally. How are the Flink user companies addressing this
>> vulnerability as it needs changes to the .SO file?
>>
>> Overall, my main question to the community is, how to address this
>> vulnerability issue as this is coming as a high severity blocking issue to
>> our product.
>>
>> Please provide the inputs/suggestions at the earliest.
>>
>> Thanks,
>> Vidya Sagar.
>>
>>
>>
>>
>>
>

Re: ZLIB Vulnerability Exposure in Flink statebackend RocksDB

2022-12-07 Thread Yanfei Lei 
Hi Vidya Sagar,

Thanks for bringing this up.

The RocksDB state backend defaults to Snappy[1]. If the compression option
is not specifically configured, this vulnerability of ZLIB has no effect on
the Flink application for the time being.

*> is there any plan in the coming days to address this? *

The FRocksDB 6.20.3-ververica-1.0

 does
depend on ZLIB 1.2.11, FLINK-30321 is created to address this.

*> If this needs to be fixed, is there any plan from Ververica to address
this vulnerability?*

Yes, we plan to publish a new version of FRocksDB[3] in Flink 1.17,
and FLINK-30321
would be included in the new release.

*> how to address this vulnerability issue as this is coming as a high
severity blocking issue to our product.*

As a kind of mitigation, don't configure ZLIB compression for RocksDB state
backend.
If ZLIB must be used now and your product can't wait, maybe you can refer
to this release document[4] to release your own version.

[1] https://github.com/facebook/rocksdb/wiki/Compression
[2] https://issues.apache.org/jira/browse/FLINK-30321
[3] https://cwiki.apache.org/confluence/display/FLINK/1.17+Release
[4]
https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/FROCKSDB-RELEASE.md

--
Best,
Yanfei
Ververica (Alibaba)

Vidya Sagar Mula  于2022年12月7日周三 06:47写道:

> Hi,
>
> There is a ZLIB vulnerability reported by the official National
> Vulnerability Database. This vulnerability causes memory corruption while
> deflating with ZLIB version less than 1.2.12.
> Here is the link for details...
>
> https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle
>
> *How is it linked to Flink?: *
> In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used as
> part of the .so file. Hence, there is vulnerability exposure here.
>
> *Flink code details/links:*
> I am seeing the latest Flink code base where the statebackend rocksdb
> library *(frocksdbjni)* is coming from Ververica. The pom.xml dependency
> snapshot is here
>
>
> https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml
>
> 
>
> com.ververica
>
> frocksdbjni
>
> 6.20.3-ververica-1.0
>
> 
>
>
> When I see the frocksdbjni code base, the makefile is pointing to
> ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD.
>
> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile
>
> *Questions:*
>
> - This vulnerability is marked as HIGH severity. How is it addressed at
> the Flink/Flink Stateback RocksDb? If not now, is there any plan in the
> coming days to address this?
>
> - As the Statebackend RocksDb is coming from Ververica, I am not seeing
> any latest artifacts published from them. As per the Maven Repository, the
> latest version is 6.20.3-ververica-1.0
> 
>  and
> this is the one used in the Flink code base.
>
> https://mvnrepository.com/artifact/com.ververica/frocksdbjni
>
> If this needs to be fixed, is there any plan from Ververica to address
> this vulnerability?
>
> - From the Flink user perspective, it is not simple to make the changes to
> .so file locally. How are the Flink user companies addressing this
> vulnerability as it needs changes to the .SO file?
>
> Overall, my main question to the community is, how to address this
> vulnerability issue as this is coming as a high severity blocking issue to
> our product.
>
> Please provide the inputs/suggestions at the earliest.
>
> Thanks,
> Vidya Sagar.
>
>
>
>
>

ZLIB Vulnerability Exposure in Flink statebackend RocksDB

2022-12-06 Thread Vidya Sagar Mula 
Hi,

There is a ZLIB vulnerability reported by the official National
Vulnerability Database. This vulnerability causes memory corruption while
deflating with ZLIB version less than 1.2.12.
Here is the link for details...

https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle

*How is it linked to Flink?: *
In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used as
part of the .so file. Hence, there is vulnerability exposure here.

*Flink code details/links:*
I am seeing the latest Flink code base where the statebackend rocksdb
library *(frocksdbjni)* is coming from Ververica. The pom.xml dependency
snapshot is here

https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml



com.ververica

frocksdbjni

6.20.3-ververica-1.0




When I see the frocksdbjni code base, the makefile is pointing to
ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD.

https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile

*Questions:*

- This vulnerability is marked as HIGH severity. How is it addressed at the
Flink/Flink Stateback RocksDb? If not now, is there any plan in the coming
days to address this?

- As the Statebackend RocksDb is coming from Ververica, I am not seeing any
latest artifacts published from them. As per the Maven Repository, the
latest version is 6.20.3-ververica-1.0

and
this is the one used in the Flink code base.

https://mvnrepository.com/artifact/com.ververica/frocksdbjni

If this needs to be fixed, is there any plan from Ververica to address this
vulnerability?

- From the Flink user perspective, it is not simple to make the changes to
.so file locally. How are the Flink user companies addressing this
vulnerability as it needs changes to the .SO file?

Overall, my main question to the community is, how to address this
vulnerability issue as this is coming as a high severity blocking issue to
our product.

Please provide the inputs/suggestions at the earliest.

Thanks,
Vidya Sagar.