FYI: For the sake of completeness, I have added some reasoning to all the JIRA tickets why we are not backporting fixes to the 1.11-line of Flink.
On Mon, Oct 26, 2020 at 4:51 PM Robert Metzger <rmetz...@apache.org> wrote: > Hey Suchithra, > thanks a lot for this report. I'm in the process of closing all the > tickets Till has created (by pushing version upgrades to Flink). > > The fixes will be released with the upcoming Flink 1.12 release. > I have decided against backporting the fixes to the 1.11 line of Flink, > because they usually require large dependency version jumps, and none of > the vulnerabilities reported have a confirmed case of directly affecting > Flink. For example the issue in commons-io affects the > FileNameUtils.normalize, which we are not using in Flink. > > Best, > Robert > > > > On Fri, Oct 23, 2020 at 10:55 AM Till Rohrmann <trohrm...@apache.org> > wrote: > >> Hi Suchithra, >> >> thanks for doing this analysis. I think we should try to upgrade the >> affected libraries. I have opened issues to do these changes [1, 2, 3, 4, >> 5]. In the future, it would be great if you could first reach out to >> priv...@flink.apache.org so that we can fix these problems without >> drawing attention to them. >> >> [1] https://issues.apache.org/jira/browse/FLINK-19781 >> [2] https://issues.apache.org/jira/browse/FLINK-19782 >> [3] https://issues.apache.org/jira/browse/FLINK-19783 >> [4] https://issues.apache.org/jira/browse/FLINK-19784 >> [5] https://issues.apache.org/jira/browse/FLINK-19785 >> >> Cheers, >> Till >> >> On Thu, Oct 22, 2020 at 12:56 PM V N, Suchithra (Nokia - IN/Bangalore) < >> suchithra....@nokia.com> wrote: >> >>> >>> >>> Hello, >>> >>> >>> >>> We are using Apache Flink 1.11.1 version. During our security scans >>> following issues are reported by our scan tool. >>> >>> >>> >>> *1.Package : commons_codec-1.10* >>> >>> *Severity: Medium* >>> >>> >>> >>> *Description: * >>> >>> Apache Commons contains a flaw that is due to the Base32 codec decoding >>> invalid strings instead of rejecting them. This may allow a remote attacker >>> to tunnel additional information via a base 32 string that seems valid. >>> >>> >>> >>> *Path:* >>> >>> /opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec >>> >>> /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec >>> >>> >>> >>> *References:* >>> >>> https://issues.apache.org/jira/browse/CODEC-134 >>> >>> https://issues.apache.org/jira/browse/HTTPCLIENT-2018 >>> >>> >>> >>> *2. Package : antlr-4.7* >>> >>> *Severity: Medium* >>> >>> >>> >>> *Description: * >>> >>> ANTLR contains a flaw in >>> runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is >>> triggered as it does not catch exceptions when attempting to access the >>> TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a >>> context-dependent attacker to potentially crash a process linked against >>> the library. >>> >>> >>> >>> *Path:* >>> >>> /opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime >>> >>> *References:* >>> >>> https://github.com/antlr/antlr4/issues/2069 >>> >>> >>> >>> *3. Package : mesos-1.0.1* >>> >>> *Severity: Medium* >>> >>> >>> >>> *Description: * >>> >>> Apache Mesos can be configured to require authentication to call the >>> Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions >>> pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value >>> against the provided signature in the JWT implementation used is vulnerable >>> to a timing attack because instead of a constant-time string comparison >>> routine a standard `==` operator has been used. A malicious actor can >>> therefore abuse the timing difference of when the JWT validation function >>> returns to reveal the correct HMAC value. >>> >>> *Path:* >>> >>> /opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos >>> >>> >>> >>> *References:* >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2018-8023 >>> >>> >>> >>> *4. Package : okhttp-3.7.0* >>> >>> *Severity: Medium* >>> >>> >>> >>> *Description: * >>> >>> ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 >>> allows man-in-the-middle attackers to bypass certificate pinning by >>> changing SSLContext and the boolean values while hooking the application. >>> NOTE: This id is disputed because some parties don't consider this is a >>> vulnerability. Their rationale can be found in >>> https://github.com/square/okhttp/issues/4967. >>> >>> *Path:* >>> >>> >>> /opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp >>> >>> *References:* >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2018-20200 >>> >>> >>> >>> *5. Package : commons_io-2.4* >>> >>> *Severity: Medium* >>> >>> >>> >>> *Description: * >>> >>> Apache Commons IO contains a flaw that allows traversing outside of a >>> restricted path. The issue is due to FileNameUtils.normalize not properly >>> sanitizing user input, specifically path traversal style attacks (e.g. >>> '../'). With a specially crafted request, a remote attacker can disclose >>> arbitrary files. >>> >>> *Path:* >>> >>> /opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io >>> >>> /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io >>> >>> >>> >>> *References:* >>> >>> https://issues.apache.org/jira/browse/IO-556 >>> >>> >>> >>> Please let us know your comments on these issues and fix plans. >>> >>> >>> >>> Regards, >>> >>> Suchithra >>> >>