Hi Suchithra, thanks for doing this analysis. I think we should try to upgrade the affected libraries. I have opened issues to do these changes [1, 2, 3, 4, 5]. In the future, it would be great if you could first reach out to priv...@flink.apache.org so that we can fix these problems without drawing attention to them.
[1] https://issues.apache.org/jira/browse/FLINK-19781 [2] https://issues.apache.org/jira/browse/FLINK-19782 [3] https://issues.apache.org/jira/browse/FLINK-19783 [4] https://issues.apache.org/jira/browse/FLINK-19784 [5] https://issues.apache.org/jira/browse/FLINK-19785 Cheers, Till On Thu, Oct 22, 2020 at 12:56 PM V N, Suchithra (Nokia - IN/Bangalore) < suchithra....@nokia.com> wrote: > > > Hello, > > > > We are using Apache Flink 1.11.1 version. During our security scans > following issues are reported by our scan tool. > > > > *1.Package : commons_codec-1.10* > > *Severity: Medium* > > > > *Description: * > > Apache Commons contains a flaw that is due to the Base32 codec decoding > invalid strings instead of rejecting them. This may allow a remote attacker > to tunnel additional information via a base 32 string that seems valid. > > > > *Path:* > > /opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec > > /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec > > > > *References:* > > https://issues.apache.org/jira/browse/CODEC-134 > > https://issues.apache.org/jira/browse/HTTPCLIENT-2018 > > > > *2. Package : antlr-4.7* > > *Severity: Medium* > > > > *Description: * > > ANTLR contains a flaw in > runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is > triggered as it does not catch exceptions when attempting to access the > TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a > context-dependent attacker to potentially crash a process linked against > the library. > > > > *Path:* > > /opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime > > *References:* > > https://github.com/antlr/antlr4/issues/2069 > > > > *3. Package : mesos-1.0.1* > > *Severity: Medium* > > > > *Description: * > > Apache Mesos can be configured to require authentication to call the > Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions > pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value > against the provided signature in the JWT implementation used is vulnerable > to a timing attack because instead of a constant-time string comparison > routine a standard `==` operator has been used. A malicious actor can > therefore abuse the timing difference of when the JWT validation function > returns to reveal the correct HMAC value. > > *Path:* > > /opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos > > > > *References:* > > https://nvd.nist.gov/vuln/detail/CVE-2018-8023 > > > > *4. Package : okhttp-3.7.0* > > *Severity: Medium* > > > > *Description: * > > ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows > man-in-the-middle attackers to bypass certificate pinning by changing > SSLContext and the boolean values while hooking the application. NOTE: This > id is disputed because some parties don't consider this is a vulnerability. > Their rationale can be found in > https://github.com/square/okhttp/issues/4967. > > *Path:* > > /opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp > > *References:* > > https://nvd.nist.gov/vuln/detail/CVE-2018-20200 > > > > *5. Package : commons_io-2.4* > > *Severity: Medium* > > > > *Description: * > > Apache Commons IO contains a flaw that allows traversing outside of a > restricted path. The issue is due to FileNameUtils.normalize not properly > sanitizing user input, specifically path traversal style attacks (e.g. > '../'). With a specially crafted request, a remote attacker can disclose > arbitrary files. > > *Path:* > > /opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io > > /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io > > > > *References:* > > https://issues.apache.org/jira/browse/IO-556 > > > > Please let us know your comments on these issues and fix plans. > > > > Regards, > > Suchithra >
