Purushottam Sinha created FLINK-39713:
-----------------------------------------
Summary: flink-kubernetes-operator: Bump log4j, jackson, and Beam
to retire CVEs
Key: FLINK-39713
URL: https://issues.apache.org/jira/browse/FLINK-39713
Project: Flink
Issue Type: Technical Debt
Components: Kubernetes Operator
Reporter: Purushottam Sinha
Problem
Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example)
ship versions flagged by Trivy across operator and example modules. Bumping
each to its latest stable within the same major retires ~50 of the report's
findings without any transitive overrides.
Evidence
- pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477,
CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
- pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
- examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37
example-only findings (kaml, okio, wire-runtime, kafka-clients,
opentelemetry-api, parallel Netty)
Proposed fix
- pom.xml:90: log4j.version 2.23.1 → 2.25.4
- pom.xml:128: jackson-bom 2.15.0 → 2.18.6
- examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0
Acceptance
- ./mvnw verify passes
- trivy fs --scanners vuln . shows the listed CVEs cleared
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
