[
https://issues.apache.org/jira/browse/FLINK-27654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539892#comment-17539892
]
Yang Wang commented on FLINK-27654:
-----------------------------------
Of cause, we could also bump the kubernetes-client in
flink-kubernetes-operator/pom.xml from 5.12.1 to 5.12.2[1]. But it still does
not fix the vulnerability and we still need the above dependencyManagement
solution.
[1]. https://mvnrepository.com/artifact/io.fabric8/kubernetes-client/5.12.2
> Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar
> -------------------------------------------------------------------------
>
> Key: FLINK-27654
> URL: https://issues.apache.org/jira/browse/FLINK-27654
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-0.1.0
> Reporter: James Busche
> Priority: Major
> Fix For: kubernetes-operator-1.0.0
>
>
> A twistlock security scan of the latest kubernetes flink operator is showing
> an older version of jackson-databind in the
> /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file. I don't know how to
> control/update the contents of this snapshot file.
> I see this in the report (Otherwise, everything else looks good!):
> ======
> severity: High
> cvss: 7.5
> riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High
> severity
> cve: CVE-2020-36518
> Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]
> packageName: com.fasterxml.jackson.core_jackson-databind
> packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar
> description: jackson-databind before 2.13.0 allows a Java StackOverflow
> exception and denial of service via a large depth of nested objects.
> =====
> I'd be glad to try to fix it, I'm just not sure how the jackson-databind
> versions are controlled in this
> /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
