[jira] [Commented] (FLINK-28637) High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar

Fri, 22 Jul 2022 07:50:26 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17570063#comment-17570063
 ] 

Márton Balassi commented on FLINK-28637:
----------------------------------------

Fortunately both the Fabric8 and the JOSDK community was very responsive, this 
gives a path for fixing this. However given the following:
 
1. The HTTP client is internal to the operator, this vulnerability is very 
unlikely to affect it,
2. We also need to bump the dependency within the Flink native k8s integration,
3. We need extensive testing to make sure the new dependency version behaves 
properly,
 
My suggestion is to release 1.1.0 with this as a known issue and fix it in 
1.1.1. That said we can merge a fix for it to the release-1.1 as soon as 
possible, so folks who are prohibited to use the 1.1.0 version can roll their 
own image from source.
 
The JOSDK folks offered to produce a new patch release that we can depend on in 
1.1.1.

> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
>                 Key: FLINK-28637
>                 URL: https://issues.apache.org/jira/browse/FLINK-28637
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-1.1.0
>            Reporter: James Busche
>            Priority: Major
>
> I noticed a high vulnerability in the 
> flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239    
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath: 
> /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are 
> vulnerable for sensitive information disclosure. An illegal character in a 
> header value will cause IllegalArgumentException which will include full 
> header value. This applies to Authorization, Cookie, Proxy-Authorization and 
> Set-Cookie headers. 
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide 
> this fix for the 3.x version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to