Hey Suchithra, thanks a lot for this report. I'm in the process of closing all the tickets Till has created (by pushing version upgrades to Flink).
The fixes will be released with the upcoming Flink 1.12 release. I have decided against backporting the fixes to the 1.11 line of Flink, because they usually require large dependency version jumps, and none of the vulnerabilities reported have a confirmed case of directly affecting Flink. For example the issue in commons-io affects the FileNameUtils.normalize, which we are not using in Flink. Best, Robert On Fri, Oct 23, 2020 at 10:55 AM Till Rohrmann <trohrm...@apache.org> wrote: > Hi Suchithra, > > thanks for doing this analysis. I think we should try to upgrade the > affected libraries. I have opened issues to do these changes [1, 2, 3, 4, > 5]. In the future, it would be great if you could first reach out to > priv...@flink.apache.org so that we can fix these problems without > drawing attention to them. > > [1] https://issues.apache.org/jira/browse/FLINK-19781 > [2] https://issues.apache.org/jira/browse/FLINK-19782 > [3] https://issues.apache.org/jira/browse/FLINK-19783 > [4] https://issues.apache.org/jira/browse/FLINK-19784 > [5] https://issues.apache.org/jira/browse/FLINK-19785 > > Cheers, > Till > > On Thu, Oct 22, 2020 at 12:56 PM V N, Suchithra (Nokia - IN/Bangalore) < > suchithra....@nokia.com> wrote: > >> >> >> Hello, >> >> >> >> We are using Apache Flink 1.11.1 version. During our security scans >> following issues are reported by our scan tool. >> >> >> >> *1.Package : commons_codec-1.10* >> >> *Severity: Medium* >> >> >> >> *Description: * >> >> Apache Commons contains a flaw that is due to the Base32 codec decoding >> invalid strings instead of rejecting them. This may allow a remote attacker >> to tunnel additional information via a base 32 string that seems valid. >> >> >> >> *Path:* >> >> /opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec >> >> /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec >> >> >> >> *References:* >> >> https://issues.apache.org/jira/browse/CODEC-134 >> >> https://issues.apache.org/jira/browse/HTTPCLIENT-2018 >> >> >> >> *2. Package : antlr-4.7* >> >> *Severity: Medium* >> >> >> >> *Description: * >> >> ANTLR contains a flaw in >> runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is >> triggered as it does not catch exceptions when attempting to access the >> TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a >> context-dependent attacker to potentially crash a process linked against >> the library. >> >> >> >> *Path:* >> >> /opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime >> >> *References:* >> >> https://github.com/antlr/antlr4/issues/2069 >> >> >> >> *3. Package : mesos-1.0.1* >> >> *Severity: Medium* >> >> >> >> *Description: * >> >> Apache Mesos can be configured to require authentication to call the >> Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions >> pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value >> against the provided signature in the JWT implementation used is vulnerable >> to a timing attack because instead of a constant-time string comparison >> routine a standard `==` operator has been used. A malicious actor can >> therefore abuse the timing difference of when the JWT validation function >> returns to reveal the correct HMAC value. >> >> *Path:* >> >> /opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos >> >> >> >> *References:* >> >> https://nvd.nist.gov/vuln/detail/CVE-2018-8023 >> >> >> >> *4. Package : okhttp-3.7.0* >> >> *Severity: Medium* >> >> >> >> *Description: * >> >> ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows >> man-in-the-middle attackers to bypass certificate pinning by changing >> SSLContext and the boolean values while hooking the application. NOTE: This >> id is disputed because some parties don't consider this is a vulnerability. >> Their rationale can be found in >> https://github.com/square/okhttp/issues/4967. >> >> *Path:* >> >> /opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp >> >> *References:* >> >> https://nvd.nist.gov/vuln/detail/CVE-2018-20200 >> >> >> >> *5. Package : commons_io-2.4* >> >> *Severity: Medium* >> >> >> >> *Description: * >> >> Apache Commons IO contains a flaw that allows traversing outside of a >> restricted path. The issue is due to FileNameUtils.normalize not properly >> sanitizing user input, specifically path traversal style attacks (e.g. >> '../'). With a specially crafted request, a remote attacker can disclose >> arbitrary files. >> >> *Path:* >> >> /opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io >> >> /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io >> >> >> >> *References:* >> >> https://issues.apache.org/jira/browse/IO-556 >> >> >> >> Please let us know your comments on these issues and fix plans. >> >> >> >> Regards, >> >> Suchithra >> >
