[
https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17570096#comment-17570096
]
Jeesmon Jacob commented on FLINK-28637:
---------------------------------------
[~mbalassi] Like JOSDK explicitly set okhttp version, can we use the same
approach in 1.1.0 until we can upgrade JOSDK? That way we don't need to ship a
new version with vulnerability. I'm using this approach locally in 1.0.1 and
happy to create a PR. All e2e tests are passing with okhttp version upgrade.
Just adding the diff here so we can refer in case we decide not to fix it now
and someone need it to satisfy their internal security requirements.
{code:java}
diff --git a/flink-kubernetes-operator/pom.xml
b/flink-kubernetes-operator/pom.xml
index 6e85b8c..e82a5e9 100644
--- a/flink-kubernetes-operator/pom.xml
+++ b/flink-kubernetes-operator/pom.xml
@@ -143,6 +143,28 @@ under the License.
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
+
+ <!--
+ regarding the okhttp explicit version
+ see https://github.com/fabric8io/kubernetes-client/issues/4290
+ and https://issues.apache.org/jira/browse/FLINK-28637
+ -->
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>okhttp</artifactId>
+ <version>${okhttp.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>logging-interceptor</artifactId>
+ <version>${okhttp.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>mockwebserver</artifactId>
+ <version>${okhttp.version}</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
diff --git a/pom.xml b/pom.xml
index 279f0b5..9f04d01 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,6 +79,8 @@ under the License.
<spotless.version>2.4.2</spotless.version>
<it.skip>true</it.skip>
+
+ <okhttp.version>4.10.0</okhttp.version>
</properties>
<dependencyManagement>
{code}
> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
> Key: FLINK-28637
> URL: https://issues.apache.org/jira/browse/FLINK-28637
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.1.0
> Reporter: James Busche
> Priority: Major
>
> I noticed a high vulnerability in the
> flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath:
> /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are
> vulnerable for sensitive information disclosure. An illegal character in a
> header value will cause IllegalArgumentException which will include full
> header value. This applies to Authorization, Cookie, Proxy-Authorization and
> Set-Cookie headers.
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide
> this fix for the 3.x version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
