Hi, There is a ZLIB vulnerability reported by the official National Vulnerability Database. This vulnerability causes memory corruption while deflating with ZLIB version less than 1.2.12. Here is the link for details...
https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle *How is it linked to Flink?: * In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used as part of the .so file. Hence, there is vulnerability exposure here. *Flink code details/links:* I am seeing the latest Flink code base where the statebackend rocksdb library *(frocksdbjni)* is coming from Ververica. The pom.xml dependency snapshot is here https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml <dependency> <groupId>com.ververica</groupId> <artifactId>frocksdbjni</artifactId> <version>6.20.3-ververica-1.0</version> </dependency> When I see the frocksdbjni code base, the makefile is pointing to ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD. https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile *Questions:* - This vulnerability is marked as HIGH severity. How is it addressed at the Flink/Flink Stateback RocksDb? If not now, is there any plan in the coming days to address this? - As the Statebackend RocksDb is coming from Ververica, I am not seeing any latest artifacts published from them. As per the Maven Repository, the latest version is 6.20.3-ververica-1.0 <https://mvnrepository.com/artifact/com.ververica/frocksdbjni/6.20.3-ververica-1.0> and this is the one used in the Flink code base. https://mvnrepository.com/artifact/com.ververica/frocksdbjni If this needs to be fixed, is there any plan from Ververica to address this vulnerability? - From the Flink user perspective, it is not simple to make the changes to .so file locally. How are the Flink user companies addressing this vulnerability as it needs changes to the .SO file? Overall, my main question to the community is, how to address this vulnerability issue as this is coming as a high severity blocking issue to our product. Please provide the inputs/suggestions at the earliest. Thanks, Vidya Sagar.
