Hello, We are using Apache Flink 1.11.1 version. During our security scans following issues are reported by our scan tool.
1.Package : commons_codec-1.10 Severity: Medium Description: Apache Commons contains a flaw that is due to the Base32 codec decoding invalid strings instead of rejecting them. This may allow a remote attacker to tunnel additional information via a base 32 string that seems valid. Path: /opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec References: https://issues.apache.org/jira/browse/CODEC-134 https://issues.apache.org/jira/browse/HTTPCLIENT-2018 2. Package : antlr-4.7 Severity: Medium Description: ANTLR contains a flaw in runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is triggered as it does not catch exceptions when attempting to access the TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a context-dependent attacker to potentially crash a process linked against the library. Path: /opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime References: https://github.com/antlr/antlr4/issues/2069 3. Package : mesos-1.0.1 Severity: Medium Description: Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value. Path: /opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos References: https://nvd.nist.gov/vuln/detail/CVE-2018-8023 4. Package : okhttp-3.7.0 Severity: Medium Description: ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967. Path: /opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp References: https://nvd.nist.gov/vuln/detail/CVE-2018-20200 5. Package : commons_io-2.4 Severity: Medium Description: Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files. Path: /opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io References: https://issues.apache.org/jira/browse/IO-556 Please let us know your comments on these issues and fix plans. Regards, Suchithra
