Thanks Robert. Regards, Suchithra
From: Robert Metzger <rmetz...@apache.org> Sent: Tuesday, October 27, 2020 9:10 PM To: Till Rohrmann <trohrm...@apache.org> Cc: V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>; user@flink.apache.org Subject: Re: Dependency vulnerabilities with flink 1.11.1 version FYI: For the sake of completeness, I have added some reasoning to all the JIRA tickets why we are not backporting fixes to the 1.11-line of Flink. On Mon, Oct 26, 2020 at 4:51 PM Robert Metzger <rmetz...@apache.org<mailto:rmetz...@apache.org>> wrote: Hey Suchithra, thanks a lot for this report. I'm in the process of closing all the tickets Till has created (by pushing version upgrades to Flink). The fixes will be released with the upcoming Flink 1.12 release. I have decided against backporting the fixes to the 1.11 line of Flink, because they usually require large dependency version jumps, and none of the vulnerabilities reported have a confirmed case of directly affecting Flink. For example the issue in commons-io affects the FileNameUtils.normalize, which we are not using in Flink. Best, Robert On Fri, Oct 23, 2020 at 10:55 AM Till Rohrmann <trohrm...@apache.org<mailto:trohrm...@apache.org>> wrote: Hi Suchithra, thanks for doing this analysis. I think we should try to upgrade the affected libraries. I have opened issues to do these changes [1, 2, 3, 4, 5]. In the future, it would be great if you could first reach out to priv...@flink.apache.org<mailto:priv...@flink.apache.org> so that we can fix these problems without drawing attention to them. [1] https://issues.apache.org/jira/browse/FLINK-19781 [2] https://issues.apache.org/jira/browse/FLINK-19782 [3] https://issues.apache.org/jira/browse/FLINK-19783 [4] https://issues.apache.org/jira/browse/FLINK-19784 [5] https://issues.apache.org/jira/browse/FLINK-19785 Cheers, Till On Thu, Oct 22, 2020 at 12:56 PM V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com<mailto:suchithra....@nokia.com>> wrote: Hello, We are using Apache Flink 1.11.1 version. During our security scans following issues are reported by our scan tool. 1.Package : commons_codec-1.10 Severity: Medium Description: Apache Commons contains a flaw that is due to the Base32 codec decoding invalid strings instead of rejecting them. This may allow a remote attacker to tunnel additional information via a base 32 string that seems valid. Path: /opt/flink/lib/flink-table_2.11-1.11.1.jar:commons-codec /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-codec References: https://issues.apache.org/jira/browse/CODEC-134 https://issues.apache.org/jira/browse/HTTPCLIENT-2018 2. Package : antlr-4.7 Severity: Medium Description: ANTLR contains a flaw in runtime/Java/src/org/antlr/v4/runtime/atn/ParserATNSimulator.java that is triggered as it does not catch exceptions when attempting to access the TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT environment variable. This may allow a context-dependent attacker to potentially crash a process linked against the library. Path: /opt/flink/opt/flink-python_2.11-1.11.1.jar:antlr4-runtime References: https://github.com/antlr/antlr4/issues/2069 3. Package : mesos-1.0.1 Severity: Medium Description: Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value. Path: /opt/flink/lib/flink-dist_2.11-1.11.1.jar:mesos References: https://nvd.nist.gov/vuln/detail/CVE-2018-8023 4. Package : okhttp-3.7.0 Severity: Medium Description: ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967. Path: /opt/flink/plugins/metrics-datadog/flink-metrics-datadog-1.11.1.jar:okhttp References: https://nvd.nist.gov/vuln/detail/CVE-2018-20200 5. Package : commons_io-2.4 Severity: Medium Description: Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files. Path: /opt/flink/lib/flink-dist_2.11-1.11.1.jar:commons-io /opt/flink/lib/flink-table-blink_2.11-1.11.1.jar:commons-io References: https://issues.apache.org/jira/browse/IO-556 Please let us know your comments on these issues and fix plans. Regards, Suchithra