This is an automated email from the ASF dual-hosted git repository. rmetzger pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/flink-web.git
commit 03820d5cbeb534e50b9be49f91c84624204695d5 Author: Robert Metzger <[email protected]> AuthorDate: Thu Dec 17 08:05:14 2020 +0100 Add security page for Flink This closes #408 --- _data/i18n.yml | 2 ++ _includes/navbar.html | 15 +++++++---- security.md | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++ security.zh.md | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 158 insertions(+), 5 deletions(-) diff --git a/_data/i18n.yml b/_data/i18n.yml index 39548af..b7bf95b 100644 --- a/_data/i18n.yml +++ b/_data/i18n.yml @@ -24,6 +24,7 @@ en: roadmap: Roadmap tutorials: Tutorials training_course: Training Course + flink_security: Flink Security zh: what_is_flink: Apache Flink 是什么? @@ -51,3 +52,4 @@ zh: roadmap: 开发计划 tutorials: 教程 training_course: Training Course + flink_security: Flink Security diff --git a/_includes/navbar.html b/_includes/navbar.html index a2476af..0168253 100755 --- a/_includes/navbar.html +++ b/_includes/navbar.html @@ -155,6 +155,12 @@ </ul> + <style> + .smalllinks:link { + display: inline-block !important; background: none; padding-top: 0px; padding-bottom: 0px; padding-right: 0px; min-width: 75px; + } + </style> + <ul class="nav navbar-nav navbar-bottom"> <hr /> @@ -164,16 +170,15 @@ <!-- Visualizer --> <li class="{% if page.url contains '/visualizer/' %} active{% endif %} hidden-md hidden-sm"><a href="{{ site.baseurl }}/visualizer/" target="_blank">Plan Visualizer <small><span class="glyphicon glyphicon-new-window"></span></small></a></li> + <li {% if page.url contains '/security.html' %} class="active"{% endif %}> + <a href="{{ baseurl_i18n }}/security.html">{{ site.data.i18n[page.language].flink_security }}</a> + </li> + <hr /> <li><a href="https://apache.org"; target="_blank">Apache Software Foundation <small><span class="glyphicon glyphicon-new-window"></span></small></a></li> <li> - <style> - .smalllinks:link { - display: inline-block !important; background: none; padding-top: 0px; padding-bottom: 0px; padding-right: 0px; min-width: 75px; - } - </style> <a class="smalllinks" href="https://www.apache.org/licenses/"; target="_blank">License</a> <small><span class="glyphicon glyphicon-new-window"></span></small> diff --git a/security.md b/security.md new file mode 100644 index 0000000..2f927d8 --- /dev/null +++ b/security.md @@ -0,0 +1,73 @@ +--- +title: "Security" +--- + +{% toc %} + + +## Security Updates + +This section lists fixed vulnerabilities in Flink. + +<table class="table"> + <thead> + <tr> + <th style="width: 20%">CVE ID</th> + <th style="width: 30%">Affected Flink versions</th> + <th style="width: 50%">Notes</th> + </tr> + </thead> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a> + </td> + <td> + 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0 + </td> + <td> + Users are advised to upgrade to Flink 1.9.3 or 1.10.1 or later versions or remove the port parameter from the reporter configuration (see advisory for details). + </td> + </tr> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a> + </td> + <td> + 1.5.1 to 1.11.2 + </td> + <td> + <a href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br> + Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. + </td> + </tr> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a> + </td> + <td> + 1.11.0, 1.11.1, 1.11.2 + </td> + <td> + <a href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br> + Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. + </td> + </tr> +</table> + + +## Frequently Asked Questions + +### During a security analysis of Flink, I noticed that Flink allows for remote code execution, is this an issue? + +Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible. + +Historically, we've received numerous remote code execution vulnerability reports, which we had to reject, as this is by design. + +**We strongly discourage users to expose Flink processes to the public internet**. Within company networks or "cloud" accounts, we recommend restricting access to a Flink cluster via appropriate means. + + +### I found a vulnerability in Flink, how do I report it? + +Thanks a lot for looking into the security of Apache Flink! We appreciate reports improving the security of Flink. We accept vulnerability reports through the [Apache Security Team](http://www.apache.org/security/), via their private email address [[email protected]](mailto:[email protected]). + +If you want to discuss a potential security issue privately with the Flink PMC, you can reach us also via [[email protected]](mailto:[email protected]). diff --git a/security.zh.md b/security.zh.md new file mode 100644 index 0000000..2f927d8 --- /dev/null +++ b/security.zh.md @@ -0,0 +1,73 @@ +--- +title: "Security" +--- + +{% toc %} + + +## Security Updates + +This section lists fixed vulnerabilities in Flink. + +<table class="table"> + <thead> + <tr> + <th style="width: 20%">CVE ID</th> + <th style="width: 30%">Affected Flink versions</th> + <th style="width: 50%">Notes</th> + </tr> + </thead> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a> + </td> + <td> + 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0 + </td> + <td> + Users are advised to upgrade to Flink 1.9.3 or 1.10.1 or later versions or remove the port parameter from the reporter configuration (see advisory for details). + </td> + </tr> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a> + </td> + <td> + 1.5.1 to 1.11.2 + </td> + <td> + <a href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br> + Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. + </td> + </tr> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a> + </td> + <td> + 1.11.0, 1.11.1, 1.11.2 + </td> + <td> + <a href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br> + Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. + </td> + </tr> +</table> + + +## Frequently Asked Questions + +### During a security analysis of Flink, I noticed that Flink allows for remote code execution, is this an issue? + +Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible. + +Historically, we've received numerous remote code execution vulnerability reports, which we had to reject, as this is by design. + +**We strongly discourage users to expose Flink processes to the public internet**. Within company networks or "cloud" accounts, we recommend restricting access to a Flink cluster via appropriate means. + + +### I found a vulnerability in Flink, how do I report it? + +Thanks a lot for looking into the security of Apache Flink! We appreciate reports improving the security of Flink. We accept vulnerability reports through the [Apache Security Team](http://www.apache.org/security/), via their private email address [[email protected]](mailto:[email protected]). + +If you want to discuss a potential security issue privately with the Flink PMC, you can reach us also via [[email protected]](mailto:[email protected]).
