[jira] [Commented] (FLINK-28637) High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar

Thu, 21 Jul 2022 12:24:35 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569666#comment-17569666
 ] 

Márton Balassi commented on FLINK-28637:
----------------------------------------

For reference at the moment this is the transitive dependency hierarchy that we 
are pulling this through:

|  +- io.fabric8:kubernetes-client:jar:5.12.2:provided

|  |  +- com.squareup.okhttp3:okhttp:jar:3.12.12:provided

As [~gyfora] suggested we best keep the fabric8 version in synch with our JOSDK 
dependency which at the currently used 3.0.3 version also uses 5.12.2 of the 
fabric8 client.

It seems that the fabric8 community is currently working on their 6.0.0 release:

[https://github.com/fabric8io/kubernetes-client/releases/tag/v6.0.0-RC1]

But this still has the same okhttp version as listed above:

[https://github.com/fabric8io/kubernetes-client/blob/v6.0.0-RC1/pom.xml#L84]

Looking through their open issues and PRs I have not found an issue for bumping 
the okhttp version, but found this relevant:

[https://github.com/fabric8io/kubernetes-client/issues/2764]

[~jbusche] would you mind opening an issue on the fabric8 client to report this 
issue and ask their community whether they think this is relevant and if they 
would bump the version given this or they will rather merge the PR that tries 
to make the HTTP client agnostic that I linked above.

> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
>                 Key: FLINK-28637
>                 URL: https://issues.apache.org/jira/browse/FLINK-28637
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-1.1.0
>            Reporter: James Busche
>            Priority: Major
>
> I noticed a high vulnerability in the 
> flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239    
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath: 
> /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are 
> vulnerable for sensitive information disclosure. An illegal character in a 
> header value will cause IllegalArgumentException which will include full 
> header value. This applies to Authorization, Cookie, Proxy-Authorization and 
> Set-Cookie headers. 
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide 
> this fix for the 3.x version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to