Thank you Yanfei for taking this issue as a bug and planning a fix in the upcoming version.
I have another vulnerability bug coming on our product. It is related to the "LZ4" compression library version. Can you please take a look at this link? https://nvd.nist.gov/vuln/detail/CVE-2019-17543 I have noticed that, Flink code base is using "*<lz4.version>1.8.0</lz4* *.version>*". Vulnerability is present for the versions *before 1.9.2.* https://github.com/apache/flink/blob/master/pom.xml Can you please look into this issue also and address it in the coming releases? Questions: ----------- - Is the code actually using this compression library? Can this vulnerability issue be ignored? - Can you please let me know if this is going to be addressed. If yes, until we move to the new Flink version to get the latest changes, would it be ok if we upgrade the version of LZ4 in our local cloned code base? I would like to understand the impact if we make changes in our local Flink code with regards to testing efforts and any other affected modules? Can you please clarify this? Thanks, Vidya Sagar. On Wed, Dec 7, 2022 at 7:59 AM Yanfei Lei <fredia...@gmail.com> wrote: > Hi Vidya Sagar, > > Thanks for bringing this up. > > The RocksDB state backend defaults to Snappy[1]. If the compression option > is not specifically configured, this vulnerability of ZLIB has no effect on > the Flink application for the time being. > > *> is there any plan in the coming days to address this? * > > The FRocksDB 6.20.3-ververica-1.0 > <https://mvnrepository.com/artifact/com.ververica/frocksdbjni/6.20.3-ververica-1.0> > does > depend on ZLIB 1.2.11, FLINK-30321 is created to address this. > > *> If this needs to be fixed, is there any plan from Ververica to address > this vulnerability?* > > Yes, we plan to publish a new version of FRocksDB[3] in Flink 1.17, and > FLINK-30321 > would be included in the new release. > > *> how to address this vulnerability issue as this is coming as a high > severity blocking issue to our product.* > > As a kind of mitigation, don't configure ZLIB compression for RocksDB > state backend. > If ZLIB must be used now and your product can't wait, maybe you can refer > to this release document[4] to release your own version. > > [1] https://github.com/facebook/rocksdb/wiki/Compression > [2] https://issues.apache.org/jira/browse/FLINK-30321 > [3] https://cwiki.apache.org/confluence/display/FLINK/1.17+Release > [4] > https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/FROCKSDB-RELEASE.md > > -- > Best, > Yanfei > Ververica (Alibaba) > > Vidya Sagar Mula <mulasa...@gmail.com> 于2022年12月7日周三 06:47写道: > >> Hi, >> >> There is a ZLIB vulnerability reported by the official National >> Vulnerability Database. This vulnerability causes memory corruption while >> deflating with ZLIB version less than 1.2.12. >> Here is the link for details... >> >> >> https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle >> >> *How is it linked to Flink?: * >> In the Flink statebackend rocksdb, there is ZLIB version 1.2.11 is used >> as part of the .so file. Hence, there is vulnerability exposure here. >> >> *Flink code details/links:* >> I am seeing the latest Flink code base where the statebackend rocksdb >> library *(frocksdbjni)* is coming from Ververica. The pom.xml dependency >> snapshot is here >> >> >> https://github.com/apache/flink/blob/master/flink-state-backends/flink-statebackend-rocksdb/pom.xml >> >> <dependency> >> >> <groupId>com.ververica</groupId> >> >> <artifactId>frocksdbjni</artifactId> >> >> <version>6.20.3-ververica-1.0</version> >> >> </dependency> >> >> >> When I see the frocksdbjni code base, the makefile is pointing to >> ZLIB_VER=1.2.11. This ZLIB version is vulnerable as per the NVD. >> >> https://github.com/ververica/frocksdb/blob/FRocksDB-6.20.3/Makefile >> >> *Questions:* >> >> - This vulnerability is marked as HIGH severity. How is it addressed at >> the Flink/Flink Stateback RocksDb? If not now, is there any plan in the >> coming days to address this? >> >> - As the Statebackend RocksDb is coming from Ververica, I am not seeing >> any latest artifacts published from them. As per the Maven Repository, the >> latest version is 6.20.3-ververica-1.0 >> <https://mvnrepository.com/artifact/com.ververica/frocksdbjni/6.20.3-ververica-1.0> >> and >> this is the one used in the Flink code base. >> >> https://mvnrepository.com/artifact/com.ververica/frocksdbjni >> >> If this needs to be fixed, is there any plan from Ververica to address >> this vulnerability? >> >> - From the Flink user perspective, it is not simple to make the changes >> to .so file locally. How are the Flink user companies addressing this >> vulnerability as it needs changes to the .SO file? >> >> Overall, my main question to the community is, how to address this >> vulnerability issue as this is coming as a high severity blocking issue to >> our product. >> >> Please provide the inputs/suggestions at the earliest. >> >> Thanks, >> Vidya Sagar. >> >> >> >> >> >
